Merge pull request #5655 from brave/audit-script

Adds an audit script that ignores dev vulnerabilities
brave · May 27, 2020 · 64dd8d1 · 64dd8d1
1 parent a3557be
commit 64dd8d1
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
     "build-storybook": "build-storybook -c .storybook -o .storybook-out",
     "storybook": "start-storybook",
     "test-unit": "jest -t",
-    "test-security": "npm audit",
+    "test-security": "python script/audit_deps.py",
     "test-python-scripts": "npm run pep8 && PYTHONPATH=./script python -m unittest discover -s ./script/test"
   },
   "repository": {

diff --git a/script/audit_deps.py b/script/audit_deps.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import sys
+import json
+import argparse
+import subprocess
+
+
+def main():
+    args = parse_args()
+    return audit_deps(args)
+
+
+def audit_deps(args):
+    npm_cmd = 'npm'
+    if sys.platform.startswith('win'):
+        npm_cmd = 'npm.cmd'
+
+    npm_args = [npm_cmd, 'audit']
+
+    # Just run audit regularly if --audit_dev_deps is passed
+    if args.audit_dev_deps:
+        return subprocess.call(npm_args)
+
+    npm_args.append('--json')
+    audit_process = subprocess.Popen(npm_args, stdout=subprocess.PIPE)
+    output, error_data = audit_process.communicate()
+
+    try:
+        result = json.loads(str(output))
+        resolutions = result['actions'][0]['resolves']
+        non_dev_exceptions = [r for r in resolutions if not r['dev']]
+    except ValueError:
+        # This can happen in the case of an NPM network error
+        print('Audit failed to return valid json')
+        return 1
+
+    print(output)
+
+    # Trigger a failure if there are non-dev exceptions
+    if non_dev_exceptions:
+        print('Audit finished, vulnerabilities found')
+        return 1
+
+    # Still pass if there are dev exceptions, but let the user know about them
+    if resolutions:
+        print('Audit finished, there are dev package warnings')
+    else:
+        print('Audit finished, no vulnerabilities found')
+    return 0
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description='Audit brave-core npm deps')
+    parser.add_argument('--audit_dev_deps',
+                        action='store_true',
+                        help='Audit dev dependencies')
+    return parser.parse_args()
+
+
+if __name__ == '__main__':
+    sys.exit(main())