Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add npm signature check #1825

Merged
merged 1 commit into from
Jul 26, 2023
Merged

Add npm signature check #1825

merged 1 commit into from
Jul 26, 2023

Conversation

david4096
Copy link
Member

@david4096 david4096 commented Jul 20, 2023
edited
Loading

Description

NPM has deprecated the PGP method of verifying signatures and now uses its own ECDSA registries. https://docs.npmjs.com/verifying-registry-signatures

This PR adds a signature check to the npm-audit-test that can help us detect if there has been an attempt to hijack one of our dependencies.

➜  dockstore-ui2 ✗ npm audit signatures
audited 1779 packages in 8s

1779 packages have verified registry signatures

https://github.com/dockstore/dockstore-ui2/actions/runs/5614243824/job/15211965428?pr=1825

Review Instructions

GitHub workflows passes with a log message showing the signatures have been verified in the log message.

Issue

https://ucsc-cgl.atlassian.net/browse/SEAB-1533

Security
If there are any concerns that require extra attention from the security team, highlight them here.

Please make sure that you've checked the following before submitting your pull request. Thanks!

  • Check that your code compiles by running npm run build
  • Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
  • If this is the first time you're submitting a PR or even if you just need a refresher, consider reviewing our style guide
  • Do not bypass Angular sanitization (bypassSecurityTrustHtml, etc.), or justify why you need to do so
  • If displaying markdown, use the markdown-wrapper component, which does extra sanitization
  • Do not use cookies, although this may change in the future
  • Run npm audit and ensure you are not introducing new vulnerabilities
  • Do due diligence on new 3rd party libraries, checking for CVEs
  • Don't allow user-uploaded images to be served from the Dockstore domain
  • If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.
  • Check whether this PR disables tests. If it legitimately needs to disable a test, create a new ticket to re-enable it in a specific milestone.

@david4096 david4096 force-pushed the feature/seab-1533/npm-signatures branch from bea678e to e1b4642 Compare July 25, 2023 17:39
@david4096 david4096 force-pushed the feature/seab-1533/npm-signatures branch from e1b4642 to a72a011 Compare July 25, 2023 18:12
@sonarcloud
Copy link

sonarcloud bot commented Jul 25, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@codecov
Copy link

codecov bot commented Jul 25, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (6ad1556) 40.70% compared to head (a72a011) 40.70%.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #1825   +/-   ##
========================================
  Coverage    40.70%   40.70%           
========================================
  Files          363      363           
  Lines        11213    11213           
  Branches      2860     2860           
========================================
  Hits          4564     4564           
  Misses        4360     4360           
  Partials      2289     2289

see 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@david4096 david4096 marked this pull request as ready for review July 25, 2023 21:16
@david4096 david4096 merged commit d77d52a into develop Jul 26, 2023
12 checks passed
@david4096 david4096 deleted the feature/seab-1533/npm-signatures branch July 26, 2023 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coverbeck coverbeck coverbeck approved these changes

@denis-yuen denis-yuen denis-yuen approved these changes

@kathy-t kathy-t kathy-t approved these changes

@svonworl svonworl svonworl approved these changes

Assignees

@david4096 david4096

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@david4096 @coverbeck @denis-yuen @kathy-t @svonworl