yarn-audit-wrap 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 23bf4109fd39849a1dd92e923bda87208ed87748b40bd9a682132c5bc71a10cb
+  data.tar.gz: 4167895a473bd8eff713e5749409e6cd847436f374647e8c5da69592593a05a2
+SHA512:
+  metadata.gz: 7aad5cf9648b1a091f107750529feec57c8d3bccbad22c0288f12642b35f29717ebddcad96a7f6633533827f2ea9b2a752ce356310f7c0f52d0c6e9f454c4dea
+  data.tar.gz: 45eb4fb53f9a7b3b523d0613f5f394f6d686307d9e562f61838a4f9c8320b18d6452da958d3cc3eba2cee013e88f1a9bd5c50cc7b29958998fb300629758e7ba

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/testdouble/standard
+ruby_version: 2.6

data/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in yarn-audit-wrap.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "minitest", "~> 5.0"
+
+gem "standard", "~> 1.3"

data/Guardfile

@@ -0,0 +1,29 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+## Uncomment and set this to only include directories you want to watch
+# directories %w(app lib config test spec features) \
+#  .select{|d| Dir.exist?(d) ? d : UI.warning("Directory #{d} does not exist")}
+
+## Note: if you are using the `directories` clause above and you are not
+## watching the project directory ('.'), then you will want to move
+## the Guardfile to a watched dir and symlink it back, e.g.
+#
+#  $ mkdir config
+#  $ mv Guardfile config/
+#  $ ln -s config/Guardfile .
+#
+# and, you'll have to watch "config/Guardfile" instead of "Guardfile"
+
+guard :standardrb, fix: false, all_on_start: true do
+  UI.info "StandardRb is initialized"
+  watch(/.+\.rb$/)
+end
+
+guard :minitest, all_after_pass: true do
+  # with Minitest::Unit
+  watch(%r{^bin/}) { "test" }
+  watch(%r{^test/(.*)/?test_(.*)\.rb$}) { "test" }
+  watch(%r{^lib/(.*/)?([^/]+)\.rb$}) { "test" }
+  watch(%r{^test/test_helper\.rb$}) { "test" }
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Eddy Kim
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,73 @@
+# Yarn::Audit::Wrap
+
+This is a ruby gem to parse the result of `yarn audit --json`.  You can filter
+different levels of findings, and ignore specific findings for a set time.
+
+It needs as input the json file, and a YAML configuration file with directives on
+individual findings to ignore.
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add yarn-audit-wrap
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install yarn-audit-wrap
+
+## Usage
+```
+yarn-audit --file=<tmp/yarn-audit.json> --level=moderate,high,critical --ignorelist=<config/yarn-audit.yml>
+
+All switches are optional, with defaults as shown above.
+
+--help         This.
+--file         json output from "yarn audit". Path is relative to app root.
+--level        comma separated list of severity strings (case insensitive).
+               INFO
+               LOW
+               MODERATE
+               HIGH
+               CRITICAL
+               or use "ALL" to select all levels.
+--ignorelist   path relative to app root, a YAML file containing list of packages to ignore, see below for format.
+              default = config/yarn-audit.yml
+
+The ignorelist is a YAML file of an array of hashes
+```
+
+Sample YAML:
+```
+---
+:ignore:
+- github_advisory_id: GHSA-cj88-88mr-972w
+  :until: 2022-07-19
+```
+
+You can identify a finding by any key, `github_advisory_id`, `cve`, etc.  Please use
+the `:until` key with a date in the future that will re-enable the finding to avoid
+config pollution, as well as pushing for best-practices to remove vulnerable packages.
+
+## Possible future enhancements
+The next logical step would be to implement a workflow that helps fix vulnerable npm packages.
+There is currently no equivalent to `npm audit --fix` for yarn, and ignoring the controversy
+(<https://github.com/yarnpkg/yarn/issues/7075>), there are a number of workarounds
+that are currently in place.
+
+This will be the next step, but it is my hope that yarn implements the `--fix` feature
+and such a workaround will be unnecessary.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/edk/yarn-audit-wrap
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+require "standard/rake"
+
+task default: %i[test standard]

data/bin/yarn_audit_wrap

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+require "yarn/audit/wrap.rb"
+require "pry"
+require "debug"
+
+begin
+  main = Yarn::Audit::Wrap::Main.new(ARGV)
+rescue Yarn::Audit::Wrap::ExitEarlyError
+  exit 0
+end
+
+rv = main.run
+exit rv
+

data/lib/yarn/audit/wrap/audit_parser.rb

@@ -0,0 +1,61 @@
+module Yarn
+  module Audit
+    module Wrap
+      class AuditParser
+        attr_accessor :output
+
+        def initialize opts:
+          @opts = opts
+          @ignored = {
+            info: [],
+            low: [],
+            moderate: [],
+            high: [],
+            critical: []
+          }
+          parse_json_audit
+        end
+
+        def parse_json_audit
+          audit_json = @opts[:audit_json]
+          @output = if File.exist?(audit_json)
+            File.readlines(audit_json).map do |line|
+              JSON.parse(line)
+            end
+          else
+            []
+          end
+        end
+
+        def add_ignored(type:, val:)
+          @ignored[type.to_sym] << val
+        end
+
+        def select(&blk)
+          if @output
+            @output.select do |item|
+              yield item if item["type"] == "auditAdvisory"
+            end
+          else
+            []
+          end
+        end
+
+        def get_summary
+          @output.detect { |item| item["type"] == "auditSummary" } || {}
+        end
+
+        def print_summary
+          puts "\nOriginal Yarn Audit:"
+          s = get_summary["data"] || {}
+          s.each { |k, v| puts "#{k.to_s.rjust(23)}: #{v.inspect}" }
+
+          puts "\nSkipped vulnerabilities:"
+          @ignored.each do |k, v|
+            puts "#{k.to_s.rjust(23)}: #{v.size}"
+          end
+        end
+      end # class
+    end # Wrap
+  end
+end

data/lib/yarn/audit/wrap/config.rb

@@ -0,0 +1,30 @@
+module Yarn
+  module Audit
+    module Wrap
+      class Config
+        def initialize(opts:)
+          # format of config file:
+          # hash with ignore: key, an array of hashes.  Each hash can have one or more
+          # keys where the value is matched.
+          # One additional key is `until: <date>` where the ignore item is resurfaced,
+          # to avoid eternal vulnerabilities.
+          # YAML.dump({ ignore: [ { "github_adivosry_id" => "GHSA-cj88-88mr-972w" } ] })
+          audit_config = opts[:audit_config]
+          @config = if File.exist?(audit_config)
+            YAML.safe_load(File.read(audit_config), permitted_classes: [Symbol, Date])
+          else
+            {}
+          end
+        end
+
+        def ignores
+          if @config && @config.size > 0
+            @config[:ignore]
+          else
+            []
+          end
+        end
+      end
+    end # Wrap
+  end
+end

data/lib/yarn/audit/wrap/opt_parser.rb

@@ -0,0 +1,93 @@
+module Yarn
+  module Audit
+    module Wrap
+      class OptParser
+        attr_accessor :opts
+
+        def audit_levels
+          opts[:audit_levels]
+        end
+
+        def initialize args, output: $stdout
+          @output = output
+          @err_output = @output == $stdout ? $stderr : @output
+          defaults = {
+            audit_config: "config/yarn-audit.yml", # configuration and ignorelists
+            audit_json: "tmp/yarn-audit.json", # the result of a yarn audit
+            audit_levels: "moderate,high,critical".split(",")
+          }
+
+          opts = defaults.dup
+          args.each do |arg|
+            key, val = arg.split("=")
+            case key
+            when "--help"
+              usage
+              raise ExitEarlyError
+            when "--skip-audit-gen"
+              opts[:skip_audit_gen] = true
+            when "--file"
+              check_file_exists val
+              opts[:audit_json] = val
+            when "--level"
+              raise MissingOptionValueError.new("missing option for --level") if val.nil?
+              opts[:audit_levels] = val.downcase.split(",").map(&:strip)
+              levels = %w[info low moderate high critical all]
+              opts[:audit_levels] = levels - ["all"] if opts[:audit_levels].include?("all")
+              if !(opts[:audit_levels] - levels).empty?
+                @err_output.puts "ERROR: Unknown audit level used in --levels option"
+                @err_output.puts "       Please check: #{val}"
+                @err_output.puts "ABORTING"
+                raise BadLevelOptionValueError.new(val.to_s)
+              end
+            when "--ignorelist"
+              opts[:audit_config] = val
+              check_file_exists val
+            else
+              @err_output.puts "ERROR: unknown option: #{key}=#{val}"
+              @err_output.puts "aborting."
+              raise UnknownOptionError.new("#{key}=#{val}")
+            end
+          end
+          @opts = opts
+        end
+
+        def [](key)
+          @opts[key]
+        end
+
+        def usage
+          @output.puts <<~USAGE
+            Usage:
+               yarn-audit --file=<tmp/yarn-audit.json> --level=moderate,high,critical --ignorelist=<config/yarn-audit.yml>
+               All switches are optional, with defaults as shown above.
+
+               --help         This.
+               --file         json output from "yarn audit". Path is relative to app root.
+               --level        comma separated list of severity strings (case insensitive).
+                                INFO
+                                LOW
+                                MODERATE
+                                HIGH
+                                CRITICAL
+                              or use "ALL" to select all levels.
+               --ignorelist   path relative to app root, a YAML file containing list of packages to ignore, see below for format.
+                              default = config/yarn-audit.yml
+
+              The ignorelist is a YAML file of an array of hashes
+              TODO: show example and structure of ignorelist file.
+          USAGE
+        end
+
+        def check_file_exists(filename)
+          raise MissingOptionValueError if filename.nil?
+          if !File.exist?(filename)
+            @err_output.puts "ERROR: missing file #{filename}"
+            @err_output.puts "aborting."
+            raise FileNotFoundError.new("Missing file #{filename}")
+          end
+        end
+      end # Parser
+    end
+  end
+end

data/lib/yarn/audit/wrap/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Yarn
+  module Audit
+    module Wrap
+      VERSION = "0.1.0"
+    end
+  end
+end

data/lib/yarn/audit/wrap/yarn_command.rb

@@ -0,0 +1,20 @@
+require "fileutils"
+
+module Yarn
+  module Audit
+    module Wrap
+      class YarnCommand
+        def initialize opts:
+          @opts = opts
+        end
+
+        def run
+          filepath = @opts[:audit_json].to_s
+          FileUtils.mkdir_p File.dirname(filepath)
+          outfile = Shellwords.escape(filepath)
+          system("yarn audit --json > #{outfile}")
+        end
+      end
+    end # Wrap
+  end
+end

data/lib/yarn/audit/wrap.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require "json"
+require "yaml"
+require "date"
+require_relative "wrap/audit_parser"
+require_relative "wrap/config"
+require_relative "wrap/opt_parser"
+require_relative "wrap/version"
+require_relative "wrap/yarn_command"
+require "active_support/all"
+
+module Yarn
+  module Audit
+    module Wrap
+      class Error < StandardError; end
+
+      class FileNotFoundError < StandardError; end
+
+      class MissingOptionValueError < StandardError; end
+
+      class BadLevelOptionValueError < StandardError; end
+
+      class UnknownOptionError < StandardError; end
+
+      class ExitEarlyError < StandardError; end
+
+      class YarnAuditRuntimeError < StandardError; end
+
+      class Main
+        def err str
+          # While I like the idea of standardrb, its recommendation in this case is absolute garbage.
+          # Errors should always go to stderr, not warn.
+          $stderr.send(:puts, str)
+        end
+
+        def warn str
+          $stdout.puts str
+        end
+
+        # Initialize the main loop
+        #
+        # @param args list [Strings] ARGV, can be an empty array, if no options were passed in.
+        # In that case, the defaults will be used.
+        #
+        def initialize args
+          @opts = OptParser.new(args)
+        rescue FileNotFoundError
+          err "File not found"
+        rescue MissingOptionValueError
+          err "Missing value for option #{$!}"
+        end
+
+        def run
+          # generates a tmp/yarn-audit.json by default.  Change @opts to rename/move output file.
+          cmd = YarnCommand.new(opts: @opts) unless @opts[:skip_audit_gen]
+          raise YarnAuditRuntimeError if !cmd
+          cmd.run
+
+          # parse output of yarn audit and store
+          audit_output = AuditParser.new(opts: @opts)
+
+          # load config, such as ignorelists
+          config = Config.new(opts: @opts)
+
+          # check and return results
+          rv = process audit_output: audit_output, config: config, opts: @opts
+
+          audit_output.print_summary
+
+          rv.size # number of vulnerabilities.  0 is shell for success, non-zero is failure!
+        end
+
+        def process(audit_output:, config:, opts:)
+          levels = opts[:audit_levels]
+          used = []
+
+          audit_output.select do |item|
+            if levels.include?(item["data"]["advisory"]["severity"]) &&
+                use_advisory?(advisory: item, config: config)
+              used << item
+            else
+              audit_output.add_ignored type: item["data"]["advisory"]["severity"], val: item
+            end
+          end
+
+          used
+        end
+
+        def handle_advisories(advisories:, summary:, opts:)
+          # print if any, return proper exit code
+          if advisories && advisories.size > 0
+            warn "yarn-audit: #{advisories.size} flagged packages"
+            exit 1
+          else
+            warn "yarn-audit: No advisories flagged."
+            warn summary.inspect
+            exit 0
+          end
+        end
+
+        # advisory is a single line from yarn audit --json output
+        # config is a set of all the ignore directives.  Find if the advisory is included in
+        # the ignore list, and if so see if the values match and if the optional until: date is set.
+        # If the Date is present and past, use the advisory, otherwise ignore it until the date is past.
+        def use_advisory?(advisory:, config:)
+          config.ignores.detect do |ignore_item|
+            found = (ignore_item.keys - [:until]).all? do |key|
+              (advisory["data"]["advisory"][key] == ignore_item[key])
+            end
+            if found
+              record = advisory["data"]["advisory"]
+              if ignore_item[:until]&.past?
+                warn "Found expired vulnerability.  Using advisory \"#{record["title"]}\""
+              else
+                warn "Actively ignoring.  \"#{record["title"]}\""
+                return false
+              end
+            else
+              warn "not found"
+              return true
+            end
+          end
+          true
+        end
+      end # Main
+    end
+  end
+end

data/sig/yarn/audit/wrap.rbs

@@ -0,0 +1,8 @@
+module Yarn
+  module Audit
+    module Wrap
+      VERSION: String
+      # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+    end
+  end
+end

metadata

@@ -0,0 +1,162 @@
+--- !ruby/object:Gem::Specification
+name: yarn-audit-wrap
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Eddy Kim
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-07-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-standardrb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2-
+
+    Script to parse and manage different levels of vulnerabilities from `yarn audit` in rails projects.
+    Also features a way to temporarily or permanently ignore vulnerabilities, due to
+    false positives or no alternatives for unfixed packages.
+email:
+- eddyhkim@gmail.com
+executables:
+- yarn_audit_wrap
+extensions: []
+extra_rdoc_files: []
+files:
+- ".standard.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/yarn_audit_wrap
+- lib/yarn/audit/wrap.rb
+- lib/yarn/audit/wrap/audit_parser.rb
+- lib/yarn/audit/wrap/config.rb
+- lib/yarn/audit/wrap/opt_parser.rb
+- lib/yarn/audit/wrap/version.rb
+- lib/yarn/audit/wrap/yarn_command.rb
+- sig/yarn/audit/wrap.rbs
+homepage: https://github.com/edk/yarn-audit-wrap
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/edk/yarn-audit-wrap
+  source_code_uri: https://github.com/edk/yarn-audit-wrap
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Run yarn audit and parse json results, for use in CI
+test_files: []