-
Notifications
You must be signed in to change notification settings - Fork 2
/
yarn-audit-with-suppressions.sh
executable file
·158 lines (124 loc) · 5.22 KB
/
yarn-audit-with-suppressions.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/usr/bin/env bash
################################################################################
# Yarn Audit Wrapper
#
# This script performs a security audit on Yarn dependencies, with the ability
# to suppress vulnerabilities that are known and have no fix. The audit results
# are output in JSON format. Any new vulnerabilities are reported to the user.
#
# Required Dependencies:
# - jq: A lightweight and flexible command-line JSON processor
# - yarn: Fast, reliable, and secure dependency management
# - prettyPrintAudit.sh: Script to pretty print the audit results
#
# Usage:
# Mostly used in the pipeline but feel free to use the script locally, should still work there:
# Execute the script in the directory containing your project and yarn-audit-known-issues file:
# ./yarn-audit-with-suppressions.sh
#
# Exit Codes:
# 0 - Success, no vulnerabilities found or only known vulnerabilities found
# 1 - Unhandled vulnerabilities were found
################################################################################
# Exit script on error
set -e
# Check for dependencies
command -v yarn >/dev/null 2>&1 || { echo >&2 "yarn is required but it's not installed. Aborting."; exit 1; }
command -v jq >/dev/null 2>&1 || { echo >&2 "jq is required but it's not installed. Aborting."; exit 1; }
# Function to print guidance message in case of found vulnerabilities
print_guidance() {
cat <<'EOF'
Security vulnerabilities were found that were not ignored.
Check to see if these vulnerabilities apply to production
and/or if they have fixes available. If they do not have
fixes and they do not apply to production, you may ignore them
To ignore these vulnerabilities, run:
`yarn npm audit --recursive --environment production --json > yarn-audit-known-issues`
and commit the yarn-audit-known-issues file
EOF
}
print_borked_known_issues() {
cat <<'EOF'
You have an invalid yarn-audit-known-issues file.
The command to suppress known vulnerabilities has changed.
Please now use the following:
`yarn npm audit --recursive --environment production --json > yarn-audit-known-issues`
EOF
}
# Function to check for unneeded suppressions
check_for_unneeded_suppressions() {
while IFS= read -r line; do
if ! grep -Fxq "$line" sorted-yarn-audit-issues; then
echo "$line" >> unneeded_suppressions
fi
done < sorted-yarn-audit-known-issues
if [[ -s unneeded_suppressions ]]; then
echo "WARNING: Unneeded suppressions found. You can safely delete these from the yarn-audit-known-issues file:"
source bin/prettyPrintAudit.sh unneeded_suppressions
fi
}
# Perform yarn audit and process the results
today=$(date +"%s")
# 2024-02-21
exclude_until="1708502400"
if [ "$today" -gt "$exclude_until" ]; then
yarn npm audit --recursive --environment production --json > yarn-audit-result || true
else
yarn npm audit --recursive --environment production --json --ignore 1096460 > yarn-audit-result || true
fi
jq -cr '.advisories | to_entries[].value' < yarn-audit-result | sort > sorted-yarn-audit-issues
# Check if there were any vulnerabilities
if [[ ! -s sorted-yarn-audit-issues ]]; then
echo "No vulnerabilities found in project dependencies."
# Check for unneeded suppressions when no vulnerabilities are present
if [ -f yarn-audit-known-issues ]; then
# Convert JSON array into sorted list of suppressed issues
jq -cr '.advisories | to_entries[].value' yarn-audit-known-issues \
| sort > sorted-yarn-audit-known-issues
# When no vulnerabilities are found, all suppressions are unneeded
check_for_unneeded_suppressions
fi
exit 0
fi
# Check if there are known vulnerabilities
if [ ! -f yarn-audit-known-issues ]; then
source bin/prettyPrintAudit.sh sorted-yarn-audit-issues
print_guidance
exit 1
else
# Test for old format of yarn-audit-known-issues
if ! jq 'has("actions", "advisories", "metadata")' yarn-audit-known-issues | grep -q true; then
print_borked_known_issues
exit 1
fi
# Handle edge case for when audit returns in different orders for the two files
# Convert JSON array into sorted list of issues.
jq -cr '.advisories | to_entries[].value' yarn-audit-known-issues \
| sort > sorted-yarn-audit-known-issues
# Retain old data ingestion style for cosmosDB
jq -cr '.advisories| to_entries[] | {"type": "auditAdvisory", "data": { "advisory": .value }}' yarn-audit-known-issues > yarn-audit-known-issues-result
# Check each issue in sorted-yarn-audit-result is also present in sorted-yarn-audit-known-issues
while IFS= read -r line; do
if ! grep -Fxq "$line" sorted-yarn-audit-known-issues; then
echo "$line" >> new_vulnerabilities
fi
done < sorted-yarn-audit-issues
# Check for unneeded suppressions
check_for_unneeded_suppressions
# Check if there were any new vulnerabilities
if [[ -s new_vulnerabilities ]]; then
echo "Unsuppressed vulnerabilities found:"
source bin/prettyPrintAudit.sh new_vulnerabilities
print_guidance
exit 1
else
echo "Active suppressed vulnerabilities:"
while IFS= read -r line; do
if grep -Fxq "$line" sorted-yarn-audit-issues; then
echo "$line" >> active_suppressions
fi
done < sorted-yarn-audit-known-issues
source bin/prettyPrintAudit.sh active_suppressions
exit 0
fi
fi