You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With NPM v7.5.4 out now, the npm audit --json output has changed. I am using this in my CI Pipeline on Gitlab and currently not getting the expected results output from this library which are compatible with GitLab.
Example of new npm audit --json format with npm v7.5.4
NOTE: NPM now has a concept of metavulnerabilities which causes some duplicate results that the 1 vulnerability in the immer package creates 3 official vulnerabilities here. I understand an underlying vulnerability causes issues in the higher layers but if you fix the 1, don't you fix all 3? Food for thought...
Also I'm not certain the exact expected output that should exist now that there are 3 vulnerabilities for npm 7 vs in npm 6. The expected output I generated using npm 6 but should be modified to fit the new results. Thanks for all your work!
The text was updated successfully, but these errors were encountered:
With NPM v7.5.4 out now, the
npm audit --jsonoutput has changed. I am using this in my CI Pipeline on Gitlab and currently not getting the expected results output from this library which are compatible with GitLab.Example of new
npm audit --jsonformat with npm v7.5.4{ "auditReportVersion": 2, "vulnerabilities": { "immer": { "name": "immer", "severity": "high", "via": [ { "source": 1603, "name": "immer", "dependency": "immer", "title": "Prototype Pollution", "url": "https://npmjs.com/advisories/1603", "severity": "high", "range": "<8.0.1" } ], "effects": [ "react-dev-utils" ], "range": "<8.0.1", "nodes": [ "node_modules/immer" ], "fixAvailable": { "name": "react-scripts", "version": "2.0.5", "isSemVerMajor": true } }, "react-dev-utils": { "name": "react-dev-utils", "severity": "high", "via": [ "immer" ], "effects": [ "react-scripts" ], "range": ">=6.0.6-next.9b4009d7", "nodes": [ "node_modules/react-dev-utils" ], "fixAvailable": { "name": "react-scripts", "version": "2.0.5", "isSemVerMajor": true } }, "react-scripts": { "name": "react-scripts", "severity": "high", "via": [ "react-dev-utils" ], "effects": [], "range": ">=2.0.6-next.9b4009d7", "nodes": [ "node_modules/react-scripts" ], "fixAvailable": { "name": "react-scripts", "version": "2.0.5", "isSemVerMajor": true } } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 0, "high": 3, "critical": 0, "total": 3 }, "dependencies": { "prod": 2271, "dev": 489, "optional": 28, "peer": 0, "peerOptional": 0, "total": 2787 } } }Current invalid parser output in my pipeline:
{ "version": "2.0", "vulnerabilities": [], "remediations": [] }Expected output: Gitlab dependency_scanner regular array of vulnerability objects
{ "version": "2.0", "vulnerabilities": [ { "tool": "npm_audit", "category": "dependency_scanning", "name": "immer", "namespace": "immer", "message": "Prototype Pollution", "cve": "package.jsonimmer:cve_id:CVE-2020-28477", "description": "## Overview\n\nAffected versions of `immer` are vulnerable to Prototype Pollution.\n\n## Proof of exploit\n\n```\nconst {applyPatches, enablePatches} = require(\"immer\");\nenablePatches();\nlet obj = {};\nconsole.log(\"Before : \" + obj.polluted);\napplyPatches({}, [ { op: 'add', path: [ \"__proto__\", \"polluted\" ], value: \"yes\" } ]);\n// applyPatches({}, [ { op: 'replace', path: [ \"__proto__\", \"polluted\" ], value: \"yes\" } ]);\nconsole.log(\"After : \" + obj.polluted);\n```\n\n## Remediation\n\nVersion 8.0.1 contains a [fix](https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5) for this vulnerability, updating is recommended.", "severity": "High", "fixedby": "Anonymous", "confidence": "High", "scanner": { "id": "npm_audit_advisories", "name": "NPM Audit" }, "location": { "file": "package.json", "dependency": { "package": { "name": "immer" }, "version": "<8.0.1" } }, "identifiers": [ { "type": "cve_id", "name": "CVE-2020-28477", "value": "CVE-2020-28477", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28477" }, { "type": "cwe_id", "name": "CWE-1321", "value": "CWE-1321", "url": "https://cwe.mitre.org/data/definitions/1321.html" } ], "solution": "Upgrade to version 8.0.1 or later", "instances": [ { "method": "react-scripts>react-dev-utils>immer" } ], "links": [ { "url": "https://npmjs.com/advisories/1603" } ] } ], "remediations": [] }NOTE: NPM now has a concept of metavulnerabilities which causes some duplicate results that the 1 vulnerability in the immer package creates 3 official vulnerabilities here. I understand an underlying vulnerability causes issues in the higher layers but if you fix the 1, don't you fix all 3? Food for thought...
Also I'm not certain the exact expected output that should exist now that there are 3 vulnerabilities for npm 7 vs in npm 6. The expected output I generated using npm 6 but should be modified to fit the new results. Thanks for all your work!
The text was updated successfully, but these errors were encountered: