sonatype-nexus-community/auditjs sonatype-nexus-community/auditjs

  • Stars
    star
    223
  • Rank 177,566 (Top 4 %)
  • Language
    TypeScript
  • License
    Apache License 2.0
  • Created about 9 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sonatype-nexus-community/auditjs
github

sonatype-nexus-community

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Audits an NPM package.json file to identify known vulnerabilities.

AuditJS

CircleCI

IMPORTANT NOTE: Welcome to AuditJS 4.0.0, lots has changed since 3.0.0, mainly around usage. Make sure to read the new docs.

If you have an issue migrating from AuditJS 3.x to AuditJS 4.x, please file a GitHub issue here.

Audits JavaScript projects using the OSS Index v3 REST API to identify known vulnerabilities and outdated package versions.

Supports any project with package managers that install npm dependencies into a node_modules folder including:

  • npm
  • Angular
  • yarn
  • bower

Requirements

For users wanting to use Nexus IQ Server as their data source for scanning:

  1. Version 77 or above must be installed. This is when the Third-Party Scan REST API was incorporated into Nexus IQ Server.

  2. The User performing the scan must have the permission "Can Evaluate Applications", this can be found in the Role Editor > User > Permissions > IQ

Installation

You can use auditjs a number of ways:

via npx (least permanent install)

npx auditjs@latest ossi

via global install (most permanent install)

npm install -g auditjs

We suggest you use it via npx, as global installs are generally frowned upon in the nodejs world.

Usage

auditjs supports node LTS versions of 8.x forward at the moment. Usage outside of these node versions will error.

Note that the OSS Index v3 API is rate limited. If you are seeing errors that indicate a problem (HTTP code 429) then you may need to make an account at OSS Index and supply the username and "token". See below for more details.

Generic Usage

auditjs [command]

Commands:
  auditjs iq [options]    Audit this application using Nexus IQ Server
  auditjs config          Set config for OSS Index or Nexus IQ Server
  auditjs ossi [options]  Audit this application using Sonatype OSS Index

Options:
  --version  Show version number                                       [boolean]
  --help     Show help                                                 [boolean]

OSS Index Usage

auditjs ossi [options]

Audit this application using Sonatype OSS Index

Options:
  --version        Show version number                                 [boolean]
  --help           Show help                                           [boolean]
  --user, -u       Specify OSS Index username                           [string]
  --password, -p   Specify OSS Index password or token                  [string]
  --cache, -c      Specify path to use as a cache location              [string]
  --quiet, -q      Only print out vulnerable dependencies              [boolean]
  --json, -j       Set output to JSON                                  [boolean]
  --xml, -x        Set output to JUnit XML format                      [boolean]
  --whitelist, -w  Set path to whitelist file                           [string]
  --clear          Clears cache location if it has been set in config  [boolean]
  --bower          Force the application to explicitly scan for Bower  [boolean]

Nexus IQ Server Usage

auditjs iq [options]

Audit this application using Nexus IQ Server

Options:
  --version          Show version number                               [boolean]
  --help             Show help                                         [boolean]
  --application, -a  Specify IQ application public ID        [string] [required]
  --stage, -s        Specify IQ app stage
  [choices: "develop", "build", "stage-release", "release"] [default: "develop"]
  --server, -h       Specify IQ server url/port
                                     [string] [default: "http://localhost:8070"]
  --timeout, -t      Specify an optional timeout in seconds for IQ Server
                     Polling                             [number] [default: 300]
  --user, -u         Specify username for request    [string] [default: "admin"]
  --password, -p     Specify password for request [string] [default: "admin123"]
  --artie, -x        Artie                                             [boolean]
  --dev, -d          Include Development Dependencies                  [boolean]

AuditJS usage with IQ Server, and what to expect

TL;DR

AuditJS should catch most if not the exact same amount of issues as the Sonatype Nexus IQ CLI Scanner. It however can't catch a few cases. If you want total visibility, please use the Sonatype Nexus IQ CLI Scanner. You can use both in tandem, too.

The full scoop

AuditJS functions by traversing your node_modules folder in your project, so it will pick up the dependencies that are physically installed. This will capture your declared as well as transititive dependencies. Once it has done this, it takes the list and converts it into something that we use to communicate with Sonatype Nexus IQ Server. The crux of this approach is that we do "coordinate" or "name based matching", which we've found to be reliable in the JavaScript ecosystem, but it will not catch corner cases such as if you've:

  • Drug a vulnerable copy of jQuery into your project and left it in a folder (npm does not know about this)
  • Copied and pasted code from a project into one of your files

The Nexus IQ CLI Scanner is equipped to locate and identify cases such as what I've just described. As such if you are using AuditJS, you would not be made aware of these cases, potentially until your code is audited by the IQ CLI Scanner later on.

It is our suggestion that when you are using this tooling to:

  • Use AuditJS in your dev environments, etc... and use it to scan as early and as often as possible. This will alert you and other developers to using bad dependencies right off the bat.
  • Use the Sonatype Nexus IQ CLI Scanner in CI/CD for a more thorough scan, and have development and your Application Security experts evaluate this scan for any "gotchas"

Usage Information

Execute from inside a node project (above the node_modules directory) to audit the dependencies. This will audit not only the direct dependencies of the project, but all transitive dependencies. To identify transitive dependencies they must all be installed for the project under audit.

If a vulnerability is found to be affecting an installed library the package header will be highlighted in red and information about the pertinent vulnerability will be printed to the screen.

By default we write all silly debug and error data to:

YOUR_HOME_DIR/.ossindex/.auditjs.combined.log

{ level: 'debug',
  message: 'Results audited',
  label: 'AuditJS',
  timestamp: '2019-12-22T20:09:33.447Z' }

Usage in CI

Jenkins

TBD

CircleCI

We've provided an example repo with a working CircleCI config on a "fake" but real project, you can see how it is all setup by clicking this link.

TravisCI

We've provided an example repo with a working TravisCI config on a "fake" but real project, you can see how it is all setup by clicking this link.

GitHub Actions

We've provided an example repo with a working GitHub Action on a "fake" but real project, you can see how it is all setup by clicking this link.

Proxy integration

The tool reads the http_proxy or https_proxy environment variables to perform network request through a Proxy.

Usage As A NPM Script

auditjs can be added as a devDependency to your project, and then an npm script can be added so you can leverage it in your npm scripts.

You would install auditjs like so:

$ npm i auditjs -D

An example snippet from a package.json:

  },
  "scripts": {
    "test": "mocha -r ts-node/register src/**/*.spec.ts",
    "build": "tsc -p tsconfig.json",
    "build-dev": "tsc -p tsconfig.development.json",
    "start": "node ./bin/index.js",
    "prepare": "npm run build",
    "prepublishOnly": "npm run test",
    "scan": "auditjs ossi"
  },
  "keywords": [

Now that we've added a scan script, you can run yarn run scan and your project will invoke auditjs and scan your dependencies. This can be handy for local work, or for if you want to run auditjs in CI/CD without installing it globally.

Note: these reference implementations are applicable to running an IQ scan as well. The caveat is that the config for the IQ url and auth needs to either be in the home directory of the user running the job, or stored as (preferably secret) environmental variables.

Config file

Config is now set via the command line, you can do so by running auditjs config. You will be prompted if you'd like to set Nexus IQ Server config or Sonatype OSS Index config. Reasonable defaults are provided for Sonatype Nexus IQ Server that will work for an out of the box install. It is STRONGLY suggested that you do not save your password in config (although it will work), but rather use a token from OSS Index or Nexus IQ Server.

Config passed in via the command line will be respected over filesystem based config so that you can override specific calls to either Sonatype OSS Index or Nexus IQ Server. Please see usage of either command to see how to set this command line config.

OSS Index Credentials

The OSS Index API is rate limited to prevent abuse. Guests (non-authorized users) are restricted to 16 requests of 120 packages each, which replenish at a rate of one request per minute. This means if you have 600 dependencies, then 5 requests will be used. No problem! If you have many projects which are run close to each other you could run into the limit.

You can either wait for the cool-down period to expire, or make a free account at OSS Index. By going to the "settings" page for your account, you will see your "token". Using your username (email address) and this security token you would have access to 64 requests, which is likely plenty for most use cases.

Audit.js caches results, which means if you run against multiple projects which have a common set of dependencies (and they almost certainly will) then you will not use up requests getting the same results more than once.

You can specify your credentials on either the command line or the configuration file. It is almost certainly better to put the credentials in a configuration file as described above, as using them on the command line is less secure.

Whitelisting

Whitelisting of vulnerabilities can be done! To accomplish this thus far we have implemented the ability to have a file named auditjs.json checked in to your repo ideally, so that it would be at the root where you run auditjs. Alternatively you can run auditjs with a whitelist file at a different location, with an example such as:

$ auditjs ossi --whitelist /Users/cooldeveloperperson/code/sonatype-nexus-community/auditjs/auditjs.json

The file should look like:

{
  "ignore": [{ "id": "78a61524-80c5-4371-b6d1-6b32af349043", "reason": "Insert reason here" }]
}

The only field that actually matters is id and that is the ID you receive from OSS Index for a vulnerability. You can add fields such as reason so that you later can understand why you whitelisted a vulnerability.

Any id that is whitelisted will be squelched from the results, and not cause a failure.

Alternative output formats

auditjs can output directly as json or as xml specifically formatted for JUnit test cases.

JSON:

auditjs ossi --json > file.json

XML:

auditjs ossi --xml > file.xml

We chose to allow output directly to the stdout, so that the user can decide what they want to do with it. If you'd like it to be written to a file by auditjs itself, pop in to this issue and let us know your thoughts!

Limitations

As this program depends on the OSS Index database, network access is required. Connection problems with OSS Index will result in an exception.

How to Fix Vulnerabilities

Or, "Patient: Hey Doc, it hurts when I do this. Doctor: Then don't do that."

So you've found a vulnerability. Now what? The best case is to upgrade the vulnerable component to a newer/non-vulnerable version. However, it is likely the vulnerable component is not a direct dependency, but instead is a transitive dependency (a dependency of a dependency, of a dependency, wash-rinse-repeat). In such a case, the first step is to figure out which direct dependency (and sub-dependencies) depend on the vulnerable component. The npm ls <vulnerable dependency> command will print a dependency tree that can lead you through this dependency forest.

If your project uses yarn, the yarn why <vulnerable dependency> command can provide a similar trail of breadcrumbs.

As an example, suppose we've learned that component hosted-git-info, version 2.8.8 is vulnerable (CVE-2021-23362). Use the command below to find which components depend on this vulnerable component.

  $ npm ls hosted-git-info
  [email protected] /Users/bhamail/sonatype/community/auditjs/auditjs
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Now we know the [email protected] component has a transitive dependency on the vulnerable component [email protected]. The best solution would be to upgrade read-installed to a newer version that uses a non-vulnerable version of hosted-git-info. As of this writing, however, no such version of read-installed exists. The next step is to file an issue with the read-installed project for them to update the vulnerable sub-dependencies. Be sure to read and follow any vulnerability reporting instructions published by the project: Look for a SECURITY.md file, or other instructions on how to report vulnerabilities. Some projects may prefer you not report the vulnerability publicly. Here's our bug report for this case: bug #53

To fix this particular vulnerability in our project, we need some way to force the transitive dependency to a newer version. This would be relatively easy if we were using yarn (see yarn's selective dependency resolutions). Since we are not using yarn, we will use npm-force-resolutions. See the excellent npm-force-resolutions docs for details on how this works.

After updating our package.json file as described by npm-force-resolutions,

...
  "resolutions": {
    "hosted-git-info": "^3.0.8"
  },
  "scripts": {
    "preinstall": "npx npm-force-resolutions",
...

we run npm install, and verify our transitive dependency is updated to a new version.

$ rm -rf node_modules && npm install
$ npm ls hosted-git-info
[email protected] /Users/bhamail/sonatype/community/auditjs/auditjs
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]  invalid

npm ERR! invalid: [email protected] /Users/bhamail/sonatype/community/auditjs/auditjs/node_modules/normalize-package-data/node_modules/hosted-git-info

After updating the transitive dependency, we need to make sure the tests still pass:

npm run test
...
29 passing (84ms)

Victory! Commit the changes, and we're done.

You could also upgrade a higher level transitive dependency: read-package-json , like so:

  "resolutions": {
    "read-package-json": "^3.0.1"
  },

Credit

Thank you to everybody who has contributed to this project, both with code contributions and also suggestions, testing help, and notifying us of new and/or missing vulnerabilities.

Contributing

We care a lot about making the world a safer place, and that's why we continue to work on this and other plugins for Sonatype OSS Index. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

Releasing

We use semantic-release to generate releases from commits to the main branch.

For example, to perform a "patch" release, add a commit to main with a comment like:

fix: Adds insecure flag, implements (#213)

The Fine Print

Remember:

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to ossindex-lib
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all - have fun!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

More Repositories

1

nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Go
560
star
2

search-maven-org

TypeScript
478
star
3

DevAudit

Open-source, cross-platform, multi-purpose security auditing tool
C#
360
star
4

nexus-repository-composer

Composer support for the Nexus Repository Manager (work in progress!)
Java
215
star
5

nexus-repository-import-scripts

A few scripts for importing artifacts into Nexus Repository
Shell
200
star
6

jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
Python
111
star
7

nexus-repository-apt

A Nexus Repository 3 plugin that allows usage of apt repositories
Java
105
star
8

nexus-repository-helm

At the Helm, Helm Yeah, v k8s
Java
97
star
9

nexus-scripting-examples

Sample scripts that use NXRM's scripting interface
HTML
85
star
10

scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Java
75
star
11

nexus-repository-cargo

Nexus Repository Cargo Format
Java
69
star
12

ahab

ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
Go
66
star
13

repo-diff

Compare the contents of your hosted and proxy repositories for coordinate collisions
Python
60
star
14

audit.net

Identify known vulnerabilities in .net nuget dependencies
C#
55
star
15

gonexus

Go API for provisioning and interacting with Sonatype's Nexus Repository Manager and Nexus IQ Server
Go
44
star
16

helm-nexus-push

A plugin for helm that will push a chart to a Nexus Hosted Repository
Shell
43
star
17

nexus-repository-apk

Java
42
star
18

ossindex-gradle-plugin

Dependency audit plugin for gradle
Java
40
star
19

oysteR

Create purls from the filtered sands of your dependencies, powered by OSS Index
R
40
star
20

nexus-blobstore-google-cloud

Nexus Repository Manager Blobstore backed by Google Cloud Storage
Java
39
star
21

nexus-repository-conan

Conan the Barbarian, C packaging, fun times
Java
39
star
22

docker-nginx-nexus-repository

This is a template for deploying Nexus Repository Manager behind an NGINX reverse proxy.
Shell
36
star
23

nexus-repo-github-action

Nexus Repository for GitHub Actions
Dockerfile
36
star
24

nexus-repository-installer

Installer for Nexus Repository Manager 3
Dockerfile
32
star
25

nexus-repository-r

R, v data science, much functional programming, doge
Java
31
star
26

cargo-pants

Rust
28
star
27

cheque

Audit C/C++ projects (make, cmake, command line, etc.)
Go
23
star
28

nexus-cli

A Go based CLI for the Nexus platform
Go
22
star
29

nexus-repository-cpan

Much regex, v perl, super excite
Java
22
star
30

nexus-repository-p2

V Eclipse, hella P2, much OSGi
Java
21
star
31

iq-config-as-code

Python
20
star
32

nexus-iq-chrome-extension

Chrome extension for use with Sonatype Nexus Lifecycle - IQ server
CSS
20
star
33

copy-modules-webpack-plugin

A Webpack plugin which copies module sources to a separate directory
JavaScript
18
star
34

vscode-iq-plugin

Visual Studio Code plugin for Nexus IQ
TypeScript
18
star
35

nexusiq-successmetrics

An application for retrieving and viewing success metrics from Sonatype Nexus IQ
Java
15
star
36

chelsea

Dependency vulnerability auditor for Ruby
Ruby
14
star
37

bach

Dependency vulnerability auditor for PHP
PHP
14
star
38

nexus-repository-puppet

Java
13
star
39

nexus-blobstore-azure-cloud

Nexus Repository Manager Blobstore backed by Azure Blob Cloud Storage
Java
13
star
40

nexus-repository-terraform

12
star
41

nancy-github-action

Sonatype Nancy for GitHub Actions
Shell
11
star
42

iq-success-metrics2

10
star
43

nexus-format-archetype

Archetype for creating Nexus format plugin
Java
10
star
44

nexus-repository-vgo

Experimental repo for a vgo proxy and maybe more
Java
10
star
45

iq-fortify-parser

Deprecated Sonatype IQ Fortify SSC Community Integration 18.x to 20.x (replaced by Partner Integration version 4.x)
Java
10
star
46

iq-github-action

Sonatype Lifecycle GitHub Action
Shell
9
star
47

nexus-iq-server-installer

Installer for Nexus IQ Server
Dockerfile
9
star
48

nexus-repository-elpa

Java
9
star
49

deployment-reference-architecture

References for deploying Nexus products.
Mustache
9
star
50

nexus-repository-microsoft-symbol-server

Java
8
star
51

cs-auth-proxy

SAML SSO for Sonatype Nexus IQ
Shell
8
star
52

nexus-kubernetes-openshift

A Plugin for Sonatype Nexus to allow for automatic provisioning via K8s/OpenShift ConfigMaps and Secrets
Groovy
7
star
53

nexus-repository-conda

Java
7
star
54

iq-success-metrics

Python
7
star
55

intentionally-vulnerable-golang-project

This is a project we created that has dependencies with vulnerabilities, for us to test out nancy
Shell
7
star
56

nexus-iq-webhook-reference-implementation

A reference implementation for consuming webhooks via serverless.
JavaScript
7
star
57

nexus-development-guides

7
star
58

iq-webhook-listener

Shell
6
star
59

cyclonedx-sbom-examples

This repo has example CycloneDx xml formatted SBOMs for popular components across multiple ecosystems. Also, instructions for building and generating the sboms in the readme. If you add or update components, commit back up to the repo.
Java
6
star
60

nexus-platform-reference

Docker-compose project for demo's / testing / training
HTML
5
star
61

nexus-ci-examples

CI example builds and Sonatype Lifecycle analysis for different languages
Groovy
5
star
62

iq-api-examples

Repository for API example scripts for IQ Server.
Python
5
star
63

nexus-webhook-publish

A lil Golang app that takes Nexus Repo webhooks and uses them to publish components to other repos such as npmjs
Go
4
star
64

go-sona-types

Common utility packages for working with OSS Index, Nexus IQ Server, CycloneDX sboms or getting a....user-agent
Go
4
star
65

docker-nancy

nancy wrapped up as a Docker image for execution in a pipeline or via an alias in a terminal
Dockerfile
4
star
66

circleci-maven-release-orb

3
star
67

nexus-repository-cabal

Java
3
star
68

nexus-repository-chef

Java
3
star
69

circleci-nancy-orb

A CircleCI orb for using Nancy to scan your Golang projects
Go
3
star
70

hazelcast-swarm

Docker swarm discovery plugin for hazelcast
Java
3
star
71

terraform-provider-sonatyperepo

Terraform Provider for configuring Sonatype Nexus Repository Manager
Go
2
star
72

homebrew-nancy-tap

Ruby
2
star
73

DevAudit-Chocolatey-package

Chocolatey package configuration for DevAudit
PowerShell
2
star
74

hashbrowns

Go
2
star
75

devsecops-community-survey

The question set used for the DevSecOps Community Survey
2
star
76

circleci-nexus-orb

2
star
77

sonatype-platform-browser-extension

The Sonatype Platform Browser Extension
TypeScript
2
star
78

sonatype-field-workshop

Examples and docs for Sonatype field workshops
Java
2
star
79

nexus-hipchat-notifier

HipChat Connect Addon to notify a chat room when a component or asset is cached in a Nexus Repository
JavaScript
2
star
80

nexus-monitoring

Shell
2
star
81

nexus-lifecycle-gitlab

Creates image to use as a GitLab runner to perform Lifecycle Evaluations
Shell
2
star
82

the-cla

Sonatype's CLA bot - affectionally known as Paul Botsco
Go
2
star
83

nexus-repository-labrat2

Another place to test things, likely to be removed soon.
Java
2
star
84

terraform-provider-sonatypeiq

Terraform Provider for configuring Sonatype IQ Server
Go
2
star
85

nexus-iq-api-client

Generated API Clients for Nexus IQ Server
Python
2
star
86

nexus-community-it-support

Library that offers support for booting NXRM + community plugin for integration testing
Java
2
star
87

iq-fortify-ssc-integration

Integration service to pass data from IQ to SSC (deprecated in favor of iq-fortify-parser)
Java
2
star
88

codetocloud-workshop

JavaScript
1
star
89

nexus-repository-labrat

Test of custom Nexus Format, created using the Nexus Format Archetype
Java
1
star
90

speedbump

Swift
1
star
91

ossindex-python

Python library for querying OSS Index
Python
1
star
92

nexus-iq-api-client-go

Generated API Client in Go for Sonatype IQ Server
Shell
1
star
93

nexus-groovy-scripts

A collection of groovy scripts for Nexus Repository Manager 3
1
star
94

js-sona-types

Like go-sona-types, but for Javascript!
TypeScript
1
star
95

log4j-hackapp

Hackable applicaiton
Java
1
star
96

example-auditjs-repo

1
star
97

example-ahab-repo

Dockerfile
1
star
98

nexus-it-script-client

Java
1
star
99

jake-github-action

Sonatype Jake for GitHub Actions
Dockerfile
1
star
100

commercial-contributions

1
star