npm audit --parseable supresses vulnerability

security
priority:medium
help-wanted
cli
triaged

(Bonifacio De Oliveira) #1

What I Wanted to Do

Run npm audit --parseable to get results in a more parseable format. I expected the vulnerabilities list to be the same of npm audit, but it wasn’t.

What Happened Instead

There was one critical vulnerability missing when I used the --parseable option.

Reproduction Steps

Have β€œmocha-jenkins-reporter”: β€œ0.3.10” in your package.json.

  1. run npm install. npm will show 1 critical vulnerability;
  2. run npm audit --parseable and it won’t show the critical vulnerability.

Link for npm installable package.json: https://gist.github.com/Bonifacio2/9b04b33032a61afeec8c7b35f8ff31ad

Details

Platform Info

$ npm --versions

{ 'something': '1.0.0',
  npm: '6.3.0',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.7.0',
  openssl: '1.0.2l',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.42',
  zlib: '1.2.11' }

$ node -p process.platform
linux

(Kat MarchΓ‘n) #2

Triage notes: This does indeed seem to be the case. Compare the following:

npm audit
➜ npm audit

                       === npm audit security report ===

# Run  npm install --save-dev mocha-jenkins-reporter@0.3.12  to resolve 2 vulnerabilities
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Low           β”‚ Regular Expression Denial of Service                         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Package       β”‚ debug                                                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Dependency of β”‚ mocha-jenkins-reporter [dev]                                 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path          β”‚ mocha-jenkins-reporter > mocha > debug                       β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More info     β”‚ https://nodesecurity.io/advisories/534                       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜


β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Critical      β”‚ Command Injection                                            β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Package       β”‚ growl                                                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Dependency of β”‚ mocha-jenkins-reporter [dev]                                 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path          β”‚ mocha-jenkins-reporter > mocha > growl                       β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More info     β”‚ https://nodesecurity.io/advisories/146                       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜


found 2 vulnerabilities (1 low, 1 critical) in 43 scanned packages
  run `npm audit fix` to fix 2 of them.
npm audit --parseable
➜ npm audit --parseable
install debug   low     npm install --save-dev mocha-jenkins-reporter@0.3.12    Regular Expression Denial of Service        https://nodesecurity.io/advisories/534  mocha-jenkins-reporter>mocha>debug  N

This does NOT seem to happen for npm audit --json, though:

npm audit --json
{
  "actions": [
    {
      "action": "install",
      "module": "mocha-jenkins-reporter",
      "target": "0.3.12",
      "isMajor": false,
      "resolves": [
        {
          "id": 534,
          "path": "mocha-jenkins-reporter>mocha>debug",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 146,
          "path": "mocha-jenkins-reporter>mocha>growl",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "146": {
      "findings": [
        {
          "version": "1.9.2",
          "paths": [
            "mocha-jenkins-reporter>mocha>growl"
          ],
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 146,
      "created": "2016-09-06T12:49:40.000Z",
      "updated": "2018-03-02T21:07:28.071Z",
      "deleted": null,
      "title": "Command Injection",
      "found_by": {
        "name": "Cristian-Alexandru Staicu"
      },
      "reported_by": {
        "name": "Cristian-Alexandru Staicu"
      },
      "module_name": "growl",
      "cves": [
        "CVE-2017-16042"
      ],
      "vulnerable_versions": "<1.10.2",
      "patched_versions": ">=1.10.2",
      "overview": "Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.",
      "recommendation": "Update to version 1.10.2 or later.",
      "references": "[Issue #60](https://github.com/tj/node-growl/issues/60)\n[PR #61](https://github.com/tj/node-growl/pull/61)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "CLI.Library",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://nodesecurity.io/advisories/146"
    },
    "534": {
      "findings": [
        {
          "version": "2.6.8",
          "paths": [
            "mocha-jenkins-reporter>mocha>debug"
          ],
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 534,
      "created": "2017-09-25T18:55:55.956Z",
      "updated": "2018-05-16T19:37:43.686Z",
      "deleted": null,
      "title": "Regular Expression Denial of Service",
      "found_by": {
        "name": "Cristian-Alexandru Staicu"
      },
      "reported_by": {
        "name": "Cristian-Alexandru Staicu"
      },
      "module_name": "debug",
      "cves": [
        "CVE-2017-16137"
      ],
      "vulnerable_versions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
      "patched_versions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
      "overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
      "recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.\n",
      "references": "- [Issue #501](https://github.com/visionmedia/debug/issues/501)\n- [PR #504](https://github.com/visionmedia/debug/pull/504)",
      "access": "public",
      "severity": "low",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://nodesecurity.io/advisories/534"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 0,
      "high": 0,
      "critical": 1
    },
    "dependencies": 0,
    "devDependencies": 43,
    "optionalDependencies": 0,
    "totalDependencies": 43
  },
  "runId": "ab9f276f-15b6-4034-a7a2-f0af6d4420f3"
}

It would be great if someone looked into this. This is probably some small hiccup in npm-audit-report, so PRs are super welcome! I assume it’s not a big patch to change.


(SneakyFish5) #3

I think I have an idea. Could it be because critical level audits isn’t included in parseable.js? I’m not too sure how to test but if you could look at my commit here and see if it works, I’ll open a PR.


(Lars Willighagen) #4

There seems to be a second issue going on too: parseable only checks the first resolves for each action. I have a PR for the first problem mentioned by @SneakyFish5 ready as well, plus a test case.


(SneakyFish5) #5

Oh you’ve already got a fix + plus a test case? Good stuff then, I won’t open the PR.


(Lars Willighagen) #6

Our fixes for the first issue are exactly the same commits but I’m not sure how possible it is to merge PRs. Here’s mine, anyway: https://github.com/npm/npm-audit-report/pull/28.


(Kat MarchΓ‘n) #7

Oh. It was literally missing. Lmao


(system) #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.