-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit and audit-resolve.json #18
base: main
Are you sure you want to change the base?
Conversation
### resolutions | ||
- **fix** runs the fix proposed in audit action and marks the issue as fixed in `audit-resolv.json`. On each subsequent run of `npm audit resolve` if the issue comes up again, the user is also warned that the problem was supposed to be fixed already. | ||
- **ignore** marks the issue as ignored and `npm audit` will no longer fail because of it (but should display a single line warning about the issue being ignored). If a new vulnerability is found in the same dependency, it does not get ignored. If another dependency is installed with the same vulnerability advisory id it is not ignored. If the same package is installed as a dependency to another dependency (different path) it is not ignored. | ||
- **postpone** marks the issue as postponed to a timestamp 24h in the future. Instead of ignoring an issue permanently just to make a build pass, one can postpone it when in rush, but make it show up as a CI faiure on the next working day. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The next working day is often more than 24 hours later; is this just meant as an example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I didn't intend it to count in working days.
If noone's at work and the build turns red, does it make a sound?
Why is postpone useful at all? It's designed to build a secure development culture where one didn't yet form. Without it, a developer under time pressure would mark an issue as ignored with intention to un-mark it later. | ||
While shipping with a known vulnerability is a bad practice, NPM's mission with the community should be to empower people to build more secure products and trust their skill and understanding of their project's particular needs. We should also aspire to help teams introduce more secure workflows effortlessly, so letting a build pass without risking compromising security long-term is a win. | ||
|
||
Remove is only useful as a convenience. Imagine a developer introducing `npm audit` and having to go through tens of issues. If they notice one of the first issues is caused by a dependency they no longer use, instead of remembering to clean it up later, they can choose this option. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably this could also narrow the list of action items, if some of them are from transitive deps of the removed item?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my experience audit grouped these together nicely, so when I choose remove it's unlikely the dependency or any of its children would come up again.
But we could easily run audit again after the remove command and thanks to audit-resolv being written after each decision, it'd automatically continue from the same point on the list.
What's the latest on this? Would be great to have something to replace .nsprc/exceptions from nsp. |
I don't really know what's next other than moving my repo to npm org on GitHub. I have more free time than usual for the next few days so I'd be happy to move this forward too. But you can use it now. Install npm-audit-resolver. I'm using it at work with my team for a while now |
### resolutions | ||
- **fix** runs the fix proposed in audit action and marks the issue as fixed in `audit-resolv.json`. On each subsequent run of `npm audit resolve` if the issue comes up again, the user is also warned that the problem was supposed to be fixed already. | ||
- **ignore** marks the issue as ignored and `npm audit` will no longer fail because of it (but should display a single line warning about the issue being ignored). If a new vulnerability is found in the same dependency, it does not get ignored. If another dependency is installed with the same vulnerability advisory id it is not ignored. If the same package is installed as a dependency to another dependency (different path) it is not ignored. | ||
- **postpone** marks the issue as postponed to a timestamp 24h in the future. Instead of ignoring an issue permanently just to make a build pass, one can postpone it when in rush, but make it show up as a CI faiure on the next working day. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we handle the situation in which somebody keeps hitting snooze (postpone) on a vulnerability. Do we really have to rely on git commit history to see this? Should we track all history not just the current state / decisions? This adds complexity that we maybe don't need but also could be a useful audit trail?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about a few cases of audit trail with similar conclusions. IMHO the benefit of audit-resolv file's simplicity outweighs the inconvenience of using git history. Also, people are quite familiar with git so the less we do on our end, the less learning they have to do.
I'd like to avoid the file growing to overwhelming lengths, but other than that I'm fine with adding more capability to this file format if it's useful for the server side ignores etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leaving only the 24h option it should be annoying enough for most reasonable people to eventually fix. :)
Unless someone gets a job postponing vulnerabilities every morning before the team comes in.
With the audit-resolve format change I just pushed we can also add a count${dependency path}er. I'd consider that a nice touch, not the core functionality though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update - instead of letting people postpone for more than 24h, due to a popular demand, I got an option in to make ignores expire. So if you decide to ignore something because there's no fix and it doesn't seem accessible from the code that depends on it, it's possible to make it expire.
Added expiresAt
field to the decision object in resolve file
`npm audit resolve` runs audit and iterates over all actions from the output with a prompt for a decision on each. | ||
If fix is available, it's offered as one of the options to proceed. Other options include: ignore, remind later and delete. | ||
|
||
All decisions are stored in `audit-resolv.json` file as key-value, where key is `${dependency path}|${advisory id}` and value is a structure specific to the resolution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you document the format of this file? Also adding in the option to have a reason
for each decision.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another though is that the audit-resolve.json
file should not be published as part of a module publication. We will want to assert exceptions outside of the package.json and update those exceptions outside of the normal publication lifecycle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update the RFC to contain the file format spec
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only the file next to top level package.json should be taken into account at all (and that's how it's implemented in npm-audit-resolver)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some tweaking I updated the RFC to include a precise format definition. Same format definition is used in a branch where I'm working on refactoring.
npm-audit-resolver package after the refactoring should be trivial to integrate into npm audit for the purpose of respecting decisions made in audit-resolve.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Schema is defined here: https://github.com/naugtur/npm-audit-resolver/blob/refactoring/src/core/auditFile/versions/v1.js as part of the app - for validation
In general I'm very excited about the potential of the |
(Heads up, we are tracking this internally and it's something we intend to get to, but I can't give you an exact timeline right now. Thanks for your patience.) |
If you want to consider one bigger push to move this forward, my family is out for winter vacation 25-28Feb while I stay at work, so I'll have unusually many hours in the evenings in that period. |
This would be an awesome addition to npm CLI. We used to run Recently we've switched to @naugtur 's npm-resolve-audit module by installing it as a dev dependency and adding a script to run Thanks for building this tool @naugtur ! |
@ersel if you're running it inside an npm script, you can use it as a command Check out my slides on using audit in CI (and other things) https://naugtur.pl/pres3/securedev/#/18 |
I've updated the RFC and I'm working on a refactoring to separate the core features from npm-related and interactive ones. Could we agree on making |
Hi, I'm finishing the refactoring I mentioned before. I will open another PR to npm some time soon introducing the line to include decisions from audit-resolve.json in the Edit: |
@jfaylon There's a collaboration space being set up under the OpenJS Foundation to tackle this. For now you can use https://www.npmjs.com/package/npm-audit-resolver for your vulnerability management. My team's been doing that for a few years now. |
Historically this proposal was titled "Interactive audit resolver". That idea was too wide to introduce in one go and parts of it are better served in userland packages. This is now the core subset of the original proposal containing support for resolutions file. | ||
|
||
This proposal is for adding means for a human to resolve issues from `npm audit` by making and documenting decisions to ignore particular false positives. | ||
The implementation should introduce support for reading and applying decisions from `audit-resolve.json` file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer either doing this through a more generic audit.json
or through an audit
property in package.json. Having a whole new file for a single purpose in the npm CLI feels… off.
There was discussion of additional config setups that I had with @darcyclarke that it could also potentially fit in, but they don’t exist yet so I can’t really recommend them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't go with a package.json field because everyone kept saying we use it for too many things already and the audit file tends to be larger (from my practical experience of running the tool for 3-4 years)
Also, there's a plan to use it as vehicle for sharing recommendation. More on this here:
https://dev.to/naugtur/do-you-need-help-with-your-npm-audit-3olf
I'm not opinionated about the name. The final decision on the name will have to happen when we standardize the format in OpenJSF
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other advantages of keeping it in a separate file include more granular codeowners targeting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll make it explicit here so it can be referred to in whatever OpenJSF work you're talking about: I'm a hard -1 on audit-resolve.json
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
audit.json is fine.
OpenJSF work here
https://github.com/openjs-foundation/pkg-vuln-collab-space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's not exactly good security practice
users should actually be doing their due diligence here with their dependencies and that
I think it should be fully considered that a large number of projects will either:
- not have maintainers that have the bandwidth to do this
- not have maintainers that know how to do this
- not have maintainers that know this needs to be done at all
- not have maintainers (unmaintained / insufficiently maintained)
I work with a bunch of beginners every three months in our coding bootcamp at @upleveled and this is one example of maintainers who will not do this. And if you pick random packages on npm, more likely than not, you'll have something that is not well maintained.
So to save and check the audit decision as close as possible to the actual usage of the vulnerable code seems like actually a better security practice overall for the industry (at least as a fallback option).
Affecting sea change so that everyone in the industry spends time to check the security of their dependencies is unrealistic.
I think @naugtur's suggestion here could be one interesting way to implement this:
package maintainers could publish ignore lists for the dependencies of their package when they did the research to verify the package is not affected.
Such lists could be aggregated into recommendations maintained by security professionals.
To be clear, again, I'm not proposing this as the ONLY security measure - teams which have security processes, budget and practice in place should continue to do that and thus will be even more secure.
But for the majority of projects which will not have this level of focus on security, there should be a base level of security by default, provided by the ecosystem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is to give people tools to do the best they can with the bandwidth they have. If we force them to address everything on their own, they're likely to just drop security from their pipeline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And I'm just saying we should just not hide it by default, and instead force the user to take some explicit action, even if it's not necessarily actually looking at the code and confirming everything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't - the user should never see something that isn't actionable for them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll partially agree to disagree and move on.
if this RFC is not reflective of a proposal, should it be closed? It's already been extremely misleading given that it's not the "real" representation of what the proposal is. |
After the last meeting I knew I should rewrite it now and I know what to put in it. Family matters and chores got in the way. I will rewrite it to reflect what it should. |
Are there any progress updates on this? With the new move of the advisory database of NPM now on GitHub (https://github.blog/changelog/2021-10-03-the-npm-advisory-database-is-now-part-of-the-github-advisory-database/) some of the moderate vulnerabilities that we can't resolve right now have been tagged as High - breaking our builds. It would be great if we can accept the risks on them specifically to allow the build to pass again. |
Looks like it didn't actually get discussed at the meeting: https://youtu.be/nkohPHyvzw4?t=3582 @bnb Sounds like this was an action item for you; did you get a chance to look at the state of this? |
I'm not going to try to be speculative on an RFC that the creator has very specific ideas about without it actually being in a PR. I don't think that'd be particularly fair to them or me 😅 |
Ok, so we're waiting on @naugtur , got it! :) |
Waiting for this like many others... |
Still waiting for this. |
BTW. I'm very near releasing a new major version of npm-audit-resolver, if anyone wants to help out. Happy to go back to discussing getting the policy check into npm cli. Still bullish on not doing it per package name but per dependency path. Also, it used to be a PR before it was an RFC :D |
I can help, you can reach me using the contacts in my Github profile. |
Any update? We need it to bypass some common packages in the third-party dependencies (eg. lodash/lodash#5808 ) which block our build steps. The best we can do now is just totally disable |
You can use npm-audit-resolver - I've released a version with updated support last year. This RFC is unlikely to move forward. npm is maintained by a small team and unlikely to make major new work happen. |
There is no way to ignore specific vulnerabilities (npm/rfcs#18) and likely will never be. The list of vulnerabilities it currently reports is: - GHSA-36jr-mh4h-2g58: No fix required since it only allows self-DoS.
[edit] This RFC is very old, some progress on developing the idea led to a Collab Space in OpenJSF and this format proposal: openjs-foundation/pkg-vuln-collab-space#11
Was: npm audit resolve
Updated to only cover the support for audit-resolve.json file in npm.
Currently implemented in userland here: https://www.npmjs.com/package/npm-audit-resolver
The
check-audit
command from the above package is providing the exact functionality proposed here.Other places where this was discussed:
npm/cli#10
https://npm.community/t/interactive-tool-to-manage-audit-findings-npm-audit-resolve/197