Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replacing Lighthouse for Hint #103

Open
lirantal opened this issue Jan 5, 2023 · 0 comments
Open

Replacing Lighthouse for Hint #103

lirantal opened this issue Jan 5, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@lirantal
Copy link
Owner

lirantal commented Jan 5, 2023
edited
Loading

Current situation

Today is-website-vulnerable depends on Lighthouse for its built-in auditing capabilities to load a webpage, detect its use of JavaScript libraries and their versions, and compare that with the Snyk database to report security vulnerabilities.

Reason for change

The Lighthouse project no longer reports on JavaScript libraries and their vulnerabilities, which means that once the library removes the pinned-version of the Lighthouse dependency then it will silently break, meaning, all scans will result false negatives and create an incorrect posture of no security vulnerabilities found.

Luckily for the project, we're pinning down dependencies to the point of a shrinkwrap file so we're not yet affected.

Suggested change

A Lighthouse alternative is the Hint project which does provide this integration along with other comparable features of Lighthouse.

It will require a refactor to replace Lighthouse with Hint and potentially a different usage of CLI/configuration and output, depending on the compatibility matrix of these two libraries.

A Hint code example

Following is a working code example of using Hint (need to npm install hint first):

const { Analyzer } = require("hint");

async function main() {
  const userConfig = {
    connector: {
      name: "puppeteer",
      options: {
        browser: "Chrome",
        headless: true,
      },
    },
    hints: {
      "no-vulnerable-javascript-libraries": "error",
    },
    formatters: [],
  };
  const options = {};
  const webhint = Analyzer.create(userConfig, options);

  const results = await webhint.analyze("https://foxnews.com", options);

  results.forEach((result) => {
    console.log(`Result for: ${result.url}`);

    result.problems.forEach((problem) => {
      console.log(
        `${problem.hintId} - ${problem.resource} - ${problem.message}`
      );
      console.log("---->\r\n", JSON.stringify(problem));
      console.log("----");
    });

    // Print the result using `formatter-html` and `formatter-summary`
    webhint.format(result.problems);
  });
}

main();

An example output of one of the problem when printed:

{
    "category": "security",
    "documentation": [
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-567880",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-567880 (medium) at Snyk"
        },
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-565129",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-565129 (medium) at Snyk"
        },
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-174006 (medium) at Snyk"
        }
    ],
    "hintId": "no-vulnerable-javascript-libraries",
    "location": {
        "column": -1,
        "line": -1
    },
    "message": "'jQuery@3.1.1' has 3 known vulnerabilities (3 medium).",
    "resource": "https://www.foxnews.com/",
    "severity": 4,
    "sourceCode": ""
}
@lirantal lirantal added the enhancement New feature or request label Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lirantal