Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(audit) Initial addition of yarn audit command. #6409

Merged
merged 20 commits into from
Oct 2, 2018

Conversation

rally25rs
Copy link
Contributor

@rally25rs rally25rs commented Sep 20, 2018

Summary

Adds the yarn audit command.

Adds the --audit flag to yarn add / install / upgrade

Currently the functionality is fairly basic. It roughly copies the initial audit release of npm including the style of reporting.

The audit command will return 0 if no issues are found, otherwise returns non-0 exit code.

Unlike npm, yarn doesn't currently auto-run audit on add/install/upgrade. Partly this is due to the additional network call and a lack of an easy way to mock it during unit tests, so every unit test tries to hit npm's API to audit the packages being "installed" during unit tests.
To run an audit during add/install/upgrade, please specify the --audit flag.

If the --offline flag is specified along with --audit then audit will be skipped (and a message noting this will be printed)

If you would like audit to always be run, you can add to the .yarnrc file:

--add.audit true
--install.audit true
--upgrade.audit true

implements #5808

Test plan

Added some basic unit tests.

When reporting audit issues, please run with --verbose and include the "Audit API Request" and "Audit API Response" JSON.

rally25rs added 10 commits June 6, 2018 21:47
Added "yarn audit" command which copies the behavior of "npm audit". Unline npm, yarn does not
automatically run "audit" during "add/install/upgrade" commands. Since this would cause an
additional network call, it broke all existing unit tests to add this feature and have it run
automatically. In the interest of getting an initial release in the hands of our users the
"add/install/upgrade" commands accept a "--audit" flag that will enable the audit. If you want audit
to always execute, you can add "--*.audit true" to .yarnrc

fix yarnpkg#5808
@rally25rs rally25rs self-assigned this Sep 20, 2018
@rally25rs rally25rs requested review from BYK and arcanis September 20, 2018 01:13
@buildsize
Copy link

buildsize bot commented Sep 20, 2018

File name Previous Size New Size Change
yarn-[version].noarch.rpm 1.07 MB 1.09 MB 17.64 KB (2%)
yarn-[version].js 4.2 MB 4.26 MB 65.11 KB (2%)
yarn-legacy-[version].js 4.37 MB 4.44 MB 68.66 KB (2%)
yarn-v[version].tar.gz 1.08 MB 1.1 MB 19.54 KB (2%)
yarn_[version]all.deb 791.86 KB 803.57 KB 11.72 KB (1%)

@arcanis
Copy link
Member

arcanis commented Sep 21, 2018

Hey Jeff! Thanks for your work on this! A few comments:

  • The --audit flag isn't working, it should be listed in src/cli/index.js
  • Running an install with --audit is subject to the integrity check; we shouldn't bailout in this case
  • The vulnerable package names are not shown, making it hard to know what should be done

I'm also not convinced by the workflow - right now you must add --audit when doing an install, meaning that if something is vulnerable you'll only know it after it's been installed (and its postinstall scripts have run). That doesn't look great from a security perspective. What would you think of this?:

  • run --audit by default on yarn add and yarn upgrade, possibly prompting the user to confirm when they inadvertently add a vulnerable package (either explicitly or through transitive dependencies)
    • A problem in this case is that without specific treatment it would also report the errors caused by the packages that already are in the dependency tree - maybe we should filter them out in this case?
  • don't run --audit by default on yarn install (like it currently is, no change there)
  • add a yarn audit command that simply validate the current state (exit code 1 if vulnerable)
    • yarn audit wouldn't do a full install, and would use the versions currently in the lockfile
    • I guess doing the resolution if missing would also be ok; basically, skip fetch/link/build

What do you think?

@arcanis
Copy link
Member

arcanis commented Sep 21, 2018

Wait, sorry, missed that the yarn audit command already exists with your PR; so basically the only change I'd suggest would be to run it by default on yarn add (and filter out the existing errors), but that's your call 😃

I'd also maybe suggest to make --audit on install prompt the user at install-time when they would install a vulnerable packages (before they're actually installed).

@@ -628,12 +668,24 @@ export class Install {
for (const step of steps) {
const stepResult = await step(++currentStep, steps.length);
if (stepResult && stepResult.bailout) {
if (this.flags.audit) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure this works - when running install --audit twice, the second time I get no reports

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's because the bailout is done at the end of the resolution step, before the audit gets initialized

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I'm pretty sure yarn just bails before it gets that far, like it would have during a normal install.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be safe to disable the integrity check altogether when --audit is set.

@rally25rs
Copy link
Contributor Author

@arcanis

I'd suggest would be to run it by default on yarn add

that was my original intent, like npm does, but it breaks all the existing unit tests because it has to make a network call. if you can think of a way to mock out that request by default for all tests, that would be great. Also I think in Discord @BYK said he was a bit concerned about adding another network call.

I'd also maybe suggest to make --audit on install prompt the user at install-time when they would install a vulnerable packages (before they're actually installed).

I think I left a comment in the code where I could bailout if there are errors, but npm doesn't by default. Prompting the user gets tricky because what if this is in a CI environment or --non-interactive is passed.

The vulnerable package names are not shown, making it hard to know what should be done

Is this just on a yarn install --audit? I believe npm does the same; just prints the summary and tells the user to "run yarn audit for more info".


In addition I noticed a couple other ... oddities.

This command uses npm's api and half the code is a copy/paste from them, but yarn audit reports more errors than npm audit does. In the case I saw, npm wasn't reporting errors that were from a transitive dep of a github repo dependency. When the npm audit API sends back a "resolution recommendation" it wants tot ell the user to run yarn upgrade foo@123 to resolve the vulnerability, but foo is a transitive dep, so that won't fix it. 😕

example:

yarn audit v1.11.0-0
# Run yarn upgrade url-parse@1.4.3 to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Open Redirect                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ url-parse                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.4.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cxcore-ui-build-tasks                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cxcore-ui-build-tasks > webpack-dev-server > sockjs-client > │
│               │ eventsource > original > url-parse                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/678                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

where cxcore-ui-build-tasks is a github url dependency. npm audit doesn't report that vulnerability at all, but the api returns the recommendation:

{
  "actions": [
    {
      "action": "update",
      "module": "url-parse",
      "depth": 6,
      "target": "1.4.3",
      "resolves": [
        {
          "id": 678,
          "path": "cxcore-ui-build-tasks>webpack-dev-server>sockjs-client>eventsource>original>url-parse",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 678,
          "path": "cxcore-ui-build-tasks>webpack-dev-server>sockjs-client>url-parse",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ]
    },

but update url-parse@1.4.3 isn't going to do anything.
So I think I might be constructing the JSON request / dep tree incorrectly. I might be reporting these packages by their hoisted location so npm thinks url-parse is at the top of the hierarchy.
Not sure yet...

@rally25rs
Copy link
Contributor Author

OK I think this should be in a good place for an initial release. It's not feature-rich, but it does report audit problems correctly at this point.

@arcanis
Copy link
Member

arcanis commented Oct 1, 2018

Looks good to me! I'll merge the changelog, update this PR, and merge it 👍

@arcanis arcanis merged commit 49a157c into yarnpkg:master Oct 2, 2018
dwaynebailey pushed a commit to hmcts/cnp-jenkins-library that referenced this pull request Oct 6, 2018
nsp has been retired and 'npm audit' is the recommended alternative.
Since yarnpkg/yarn#6409 yarn v1.12.0 has an
audit capability.  Use that instead.
@Gudahtt
Copy link
Member

Gudahtt commented Oct 12, 2018

I believe this PR is the reason the nightly tests on Ubuntu 16.0.4 have been failing.

The dependency cli-table3 doesn't support Node v4. The line the test is failing on is this one, due to the use of let.

The reason the other end-to-end tests aren't affected is that they use Node v6.

I don't yet know why the other tests aren't failing on Node v4. Perhaps this library is never invoked outside of the end-to-end tests.

danpat added a commit to Project-OSRM/osrm-backend that referenced this pull request Oct 30, 2018
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Nov 22, 2018
Changelog tracks back up to 1.12.0 only.

## 1.12.3

**Important:** This release contains a cache bump. It will cause the very first install following the upgrade to take slightly more time, especially if you don't use the [Offline Mirror](https://yarnpkg.com/blog/2016/11/24/offline-mirror/) feature. After that everything will be back to normal.

- Fixes an issue with `yarn audit` when using workspaces

  [6625](yarnpkg/yarn#6639) - [**Jeff Valore**](https://twitter.com/codingwithspike)

- Uses `NODE_OPTIONS` to instruct Node to load the PnP hook, instead of raw CLI arguments

  **Caveat:** This change might cause issues for PnP users having a space inside their cwd (cf [nodejs/node24065](nodejs/node#24065))

  [6479](yarnpkg/yarn#6629) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes Gulp when used with Plug'n'Play

  [6623](yarnpkg/yarn#6623) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes an issue with `yarn audit` when the root package was missing a name

  [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder)

- Fixes an issue with `yarn audit` when a package was depending on an empty range

  [6611](yarnpkg/yarn#6611) - [**Jack Zhao**](https://github.com/bugzpodder)

- Fixes an issue with how symlinks are setup into the cache on Windows

  [6621](yarnpkg/yarn#6621) - [**Yoad Snapir**](https://github.com/yoadsn)

- Upgrades `inquirer`, fixing `upgrade-interactive` for users using both Node 10 and Windows

  [6635](yarnpkg/yarn#6635) - [**Philipp Feigl**](https://github.com/pfeigl)

- Exposes the path to the PnP file using `require.resolve('pnpapi')`

  [6643](yarnpkg/yarn#6643) - [**Maël Nison**](https://twitter.com/arcanis)

## 1.12.2

This release doesn't actually exists and was caused by a quirk in our systems.

## 1.12.1

- Ensures the engine check is ran before showing the UI for `upgrade-interactive`

  [6536](yarnpkg/yarn#6536) - [**Orta Therox**](https://github.com/orta)

- Restores Node v4 support by downgrading `cli-table3`

  [6535](yarnpkg/yarn#6535) - [**Mark Stacey**](https://github.com/Gudahtt)

- Prevents infinite loop when parsing corrupted lockfiles with unterminated strings

  [4965](yarnpkg/yarn#4965) - [**Ryan Hendrickson**](https://github.com/rhendric)

- Environment variables now have to **start** with `YARN_` (instead of just contain it) to be considered

  [6518](yarnpkg/yarn#6518) - [**Michael Gmelin**](https://blog.grem.de)

- Fixes the `extensions` option when used by `resolveRequest`

  [6479](yarnpkg/yarn#6479) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes handling of empty string entries for `bin` in package.json

  [6515](yarnpkg/yarn#6515) - [**Ryan Burrows**](https://github.com/rhburrows)

- Adds support for basic auth for registries with paths, such as artifactory

  [5322](yarnpkg/yarn#5322) - [**Karolis Narkevicius**](https://twitter.com/KidkArolis)

- Adds 2FA (Two Factor Authentication) support to publish & alike

  [6555](yarnpkg/yarn#6555) - [**Krzysztof Zbudniewek**](https://github.com/neonowy)

- Fixes how the `files` property is interpreted to bring it in line with npm

  [6562](yarnpkg/yarn#6562) - [**Bertrand Marron**](https://github.com/tusbar)

- Fixes Yarn invocations on Darwin when the `yarn` binary was symlinked

  [6568](yarnpkg/yarn#6568) - [**Hidde Boomsma**](https://github.com/hboomsma)

- Fixes `require.resolve` when used together with the `paths` option

  [6565](yarnpkg/yarn#6565) - [**Maël Nison**](https://twitter.com/arcanis)

## 1.12.0

- Adds initial support for PnP on Windows

  [6447](yarnpkg/yarn#6447) - [**John-David Dalton**](https://twitter.com/jdalton)

- Adds `yarn audit` (and the `--audit` flag for all installs)

  [6409](yarnpkg/yarn#6409) - [**Jeff Valore**](https://github.com/rally25rs)

- Adds a special logic to PnP for ESLint compatibility (temporary, until [eslint/eslint10125](eslint/eslint#10125) is fixed)

  [6449](yarnpkg/yarn#6449) - [**Maël Nison**](https://twitter.com/arcanis)

- Makes the PnP hook inject a `process.versions.pnp` variable when setup (equals to `VERSIONS.std`)

  [6464](yarnpkg/yarn#6464) - [**Maël Nison**](https://twitter.com/arcanis)

- Disables by default (configurable) the automatic migration of the `integrity` field. **It will be re-enabled in 2.0.**

  [6465](yarnpkg/yarn#6465) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes the display name of the faulty package when the NPM registry returns corrupted data

  [6455](yarnpkg/yarn#6455) - [**Grey Baker**](https://github.com/greysteil)

- Prevents crashes when running `yarn outdated` and the NPM registry forgets to return the `latest` tag

  [6454](yarnpkg/yarn#6454) - [**mad-mike**](https://github.com/mad-mike)

- Fixes `yarn run` when used together with workspaces and PnP

  [6444](yarnpkg/yarn#6444) - [**Maël Nison**](https://twitter.com/arcanis)

- Fixes an edge case when peer dependencies were resolved multiple levels deep (`webpack-dev-server`)

  [6443](yarnpkg/yarn#6443) - [**Maël Nison**](https://twitter.com/arcanis)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants