@sudoplatform/sudo-common 8.8.6 → 8.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -2,14 +2,28 @@
2
2
  #
3
3
  # Insert a audit identifier to suppress in verification proccess.
4
4
  #
5
+ # Suppressions are objects added to the auditSuppresions element of package.json
6
+ # and are of the form:
7
+ #
8
+ # "auditSuppressions": {
9
+ # "<numeric-vulnerability-id>": {
10
+ # "until": <numeric-expiry-in-seconds-since-epoch>,
11
+ # "untilISO": "<expiry-time-in-ISO8601-format>",
12
+ # "reason": "<string-text-for-recording-reason-for-suppression>"
13
+ # }
14
+ # }
15
+ #
5
16
 
6
17
  auditid=$1
18
+ shift
19
+ reason="${*}"
7
20
  PACKAGE_JSON="package.json"
8
21
 
9
- if [ -z $auditid ]; then
10
- echo "Usage: yarn suppress-audit <audit id>"
22
+ if [ -z "$auditid" ] || [ -z "$reason" ]; then
23
+ echo "Usage: yarn suppress-audit <audit id> <reason>"
11
24
  exit 1
12
25
  fi
26
+
13
27
  cp $PACKAGE_JSON $PACKAGE_JSON.old
14
- cat $PACKAGE_JSON | jq ".auditSuppressions.\"$auditid\" = (now | floor | . + 1209600)" > $PACKAGE_JSON.staging
28
+ cat $PACKAGE_JSON | jq '(now | floor | . + 1209600) as $expiry | .auditSuppressions."'"$auditid"'" = {"until": $expiry,"untilISO":($expiry | strftime("%FT%TZ") ),"reason":"'"${reason}"'"}' > $PACKAGE_JSON.staging
15
29
  mv $PACKAGE_JSON.staging $PACKAGE_JSON
@@ -1,16 +1,43 @@
1
1
  #!/bin/sh
2
2
 
3
- yarn audit --json --groups "dependencies devDependencies" | jq -s -c 'map(select(.type == "auditAdvisory").data.advisory) | unique_by(.id) | .[] | {id, title, module_name, vulnerable_versions, patched_versions, severity, findings}' | (new=""; while read advisory ; do
3
+ # Run yarn audit reading any suppressions from the auditSuppressions element
4
+ # of package.json.
5
+ #
6
+ # Suppressions are added by yarn suppress-audit and are of the form:
7
+ #
8
+ # "auditSuppressions": {
9
+ # "<numeric-vulnerability-id>": {
10
+ # "until": <numeric-expiry-in-seconds-since-epoch>,
11
+ # "untilISO": "<expiry-time-in-ISO8601-format>",
12
+ # "reason": "<string-text-for-recording-reason-for-suppression>"
13
+ # }
14
+ # }
15
+ #
16
+ # Previously, the value of the audit suppression was jsut the expiry timestamp
17
+ # this old format is still recognized by this script.
18
+ #
19
+ yarn audit --json --groups "dependencies devDependencies" | \
20
+ jq -M -s -c 'map(select(.type == "auditAdvisory").data.advisory) | unique_by(.id) | .[] | {id, title, module_name, vulnerable_versions, patched_versions, severity, findings}' | \
21
+ (new=""; while read -r advisory ; do
4
22
  id=$(echo "${advisory}" | jq '.id')
5
23
  suppression=$(jq ".auditSuppressions[\"$id\"] | select (. != null)" package.json)
6
24
  if [ -z "$suppression" ]; then
7
25
  echo "New advisory ${id}:"
8
26
  echo "${advisory}" | jq .
9
27
  new=1
10
- elif [ $(date '+%s') -gt "$suppression" ]; then
11
- echo "Suppression for advisory ${id} has expired. Please revisit:"
12
- echo "${advisory}" | jq .
13
- new=1
28
+ else
29
+ if expr "$suppression" : '^[0-9][0-9]*$' >/dev/null ; then
30
+ # Old style suppression that was just the expiry timestamp
31
+ expiry="$suppression"
32
+ else
33
+ # New style suppression is a JSON object
34
+ expiry=$(echo "$suppression" | jq -M -c ".until // 0")
35
+ fi
36
+ if [ "$(date '+%s')" -gt "$expiry" ]; then
37
+ echo "Suppression for advisory ${id} has expired. Please revisit:"
38
+ echo "${advisory}" | jq .
39
+ new=1
40
+ fi
14
41
  fi
15
42
  done
16
43
  if [ -n "${new}" ]; then
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sudoplatform/sudo-common",
3
- "version": "8.8.6",
3
+ "version": "8.9.0",
4
4
  "author": "Anonyome Labs, Inc.",
5
5
  "repository": {
6
6
  "type": "git",
@@ -52,13 +52,13 @@
52
52
  "**/apollo-client": "^2.6.10"
53
53
  },
54
54
  "dependencies": {
55
- "@aws-sdk/client-s3": "^3.490.0",
55
+ "@aws-sdk/client-s3": "^3.588.0",
56
56
  "apollo-client": "^2.6.10",
57
57
  "asn1js": "^3.0.5",
58
58
  "browser-bunyan": "^1.8.0",
59
59
  "fflate": "^0.8.2",
60
60
  "graphql": "^15.8.0",
61
- "pkijs": "^3.0.16",
61
+ "pkijs": "^3.1.0",
62
62
  "tslib": "^2.6.2"
63
63
  },
64
64
  "peerDependencies": {
@@ -84,7 +84,7 @@
84
84
  "jest": "^27.5.1",
85
85
  "monocle-ts": "^2.3.13",
86
86
  "newtype-ts": "^0.3.5",
87
- "prettier": "^3.2.5",
87
+ "prettier": "^3.3.0",
88
88
  "rimraf": "^5.0.7",
89
89
  "ts-jest": "^27.1.5",
90
90
  "ts-mockito": "^2.6.1",