Interactive tool to manage audit findings - npm audit resolve

cli
security

(Zbyszek Tenerowicz) #1

Well, this: https://www.npmjs.com/package/npm-audit-resolver

I’d like to contribute this interactive tool as an extension or alternative to npm audit fix.

Background (feel free to skip)
I’m a leader / solutions guy in a team that frantically churns out new integrations written in Node.js and various front-end stacks. There’s 21 of them already. We tend to have to focus on new apps but we revisit most of them every X months, so it’s best that we keep them all well maintained. I’m at the point where I write tools to automate making configuration changes to all projects at once.

These apps tend to have diverse sets of dependencies, with quite a few being shared across the board. Recently, when some new vulnerabilities got published, all builds went red and we didn’t have obvious fixes for some of the issues. We considered the option to ignore advisory numbers, but some of the issues in our test dependencies (which we don’t ship to production servers at all) were the kinds that we’d never allow in our production dependencies. So that option’s out.

At first, when using nsp check, I used to spend a day to go through all of the apps and apply all the fixes. With scripts iterating over repositories it got a bit better, but I badly needed the tool I want to discuss here.

My case is on the extreme side, but it makes it easier for me to identify the needs.

Features

What I’d like to suggest/contribute is:

  • interactive CLI tool to speed up making and applying decisions
  • audit-resolv.json (or a section in package.json) to store the decisions
  • ability to postpone, ignore, remember fixed - all recorded for specific paths and issues, so the same issue found elsewhere would not get ignored
  • tools to help out when a fix is not yet known (action:review cases)

As for the action:review, take a look at the “investigate” option in the resolver. Currently, while the implementation is still quite naive, it’s capable of finding the package which would have to bump their dependency to fix the issue. It can also identify when a newer version of a package doesn’t have the vulnerable dependency anymore, which npm audit doesn’t seem to notice as a possible fix.

Action items
Performance and future-proofing of this tool would be better if it was built into npm, so here I am.

  • I might need someone to help me get started and suggest where this code would go based on your conventions.
  • I’m hoping to discuss this and I’m looking forward to confronting this with your WIP features and ideas, also sharing my perspective on security maintenance at a team where the apps count is 5 times higher than developer count.

Please provide option to ignore packages in npm audit
Please support --production or --only=production in npm audit
(Zbyszek Tenerowicz) #2

Here’s the initial contribution:

Please point me to the right issues I need to tackle there


(Rebecca Turner) #3

(Just to set expectations: The entire npm organization is doing an all-hands get together this week, so we may not be able to dig in till after it completes.)


(Kat Marchán) #4

Kind of a side note, and in light of What is collaborator at npm, I’m wondering whether we could do this integration in RFC form. If you have the patience for it, since I think it might turn out to be a somewhat significant RFC if it’s gonna describe all the behavior at hand, but it would be a good exercise for us to start understanding what it takes to have entire product proposals coming in from outside the core team, which is something we’ve only done on rare occasion in recent years (like npm doctor).


(Zbyszek Tenerowicz) #5

I wanted to start with an RFC but got worried it’d take a lot of time. And I needed to run something to know what it feels like as a user. I’m working on this as part of scratching my team’s itch, but I’m moving on to a different project and would have to contain that in my free time entirely, which is a scarce resource after my daughter was born. Just setting expectations here.

Anyway, if you think RFC is the best platform to drive mt PR in terms of features and vision, I’ll do it.

Please help me get started.


(Kat Marchán) #6

Please prioritize your family. We can take our sweet time with this as needed. I’ll see about helping where I can but I’m sure we’ll all be a while. :slight_smile:


(Isiah Meadows) #7

Just checking in here. Is there anything I can do to help this along?


(Kat Marchán) #8

Nope, it’s moving along at the pace it’s gonna move along at.


(Zb) #9

Hi, posting from another account, because I tried everything to get the original one working and failed. It’s still banned from posting anything. Sorry it took me so long to work around.

Some updates to the thread:

  • For reference - the RFC is here https://github.com/npm/rfcs/pull/18 - looking forward to more comments
  • If the next step is to move the repo to npm org on github, could we do it next week? If not, what should I do next?
  • My daughter can now stand ;)

(Zbyszek Tenerowicz) #10

Account restored, looking forward to next steps.
Got a new option idea: “ignore until a newer version is released” - not sure how to implement yet ;)


(Zbyszek Tenerowicz) #11

Hi @zkat @isiahmeadows

I just finished organizing a conference and now is a great time for me to move this forward. Could you suggest some next steps?


(Kat Marchán) #12

I think getting a first draft of an RFC up is the next step here! There’s a template and instructions in https://github.com/npm/rfcs


(Zbyszek Tenerowicz) #13

Oh, you must be really busy.

I did create a RFC https://github.com/npm/rfcs/pull/18 and you added some labels to it in August. There were no new questions since then.

So what’s the next next step? :slight_smile:


(Kat Marchán) #14

Oh so you did! Then it’s just a matter of waiting. I’ve been really sick the past couple of months and my team’s in the middle of hiring (and then onboarding) two more people, so there’s very little attention left over for rfcs. Once we ramp up again, though, we’ll start doing our weekly review of RFCs.

In the meantime, maybe @adam_baldwin has some idea about next steps since we’d be looking to him for a lot of this.


(Zbyszek Tenerowicz) #15

I hope you’re ok.

Looking forward to some input from Adam then.
Meanwhile I’m making humble attempts to get some people to test the current implementation.