diff --git a/README.md b/README.md index 2e6b95b1..9c944f3e 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ Example CircleCI `config.yml`: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: main: diff --git a/integrations/circleci/README.md b/integrations/circleci/README.md index 71d72685..ad807402 100644 --- a/integrations/circleci/README.md +++ b/integrations/circleci/README.md @@ -24,7 +24,7 @@ Note: active_scanners and enforced_scanners must be yaml formatted for Salus con version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: main: @@ -38,7 +38,7 @@ workflows: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: main: @@ -53,7 +53,7 @@ workflows: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: main: @@ -68,7 +68,7 @@ workflows: ``` version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 executors: salus_2_4_2: docker: diff --git a/integrations/circleci/orb.yml b/integrations/circleci/orb.yml index 2561aeb2..486009ea 100644 --- a/integrations/circleci/orb.yml +++ b/integrations/circleci/orb.yml @@ -82,7 +82,7 @@ examples: usage: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: salus_scan: jobs: @@ -92,7 +92,7 @@ examples: usage: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: salus_scan: jobs: @@ -103,7 +103,7 @@ examples: usage: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 workflows: salus_scan: jobs: @@ -114,7 +114,7 @@ examples: usage: version: 2.1 orbs: - salus: federacy/salus@2.5.1 + salus: federacy/salus@2.6.1 executors: salus_2_4_2: docker: diff --git a/lib/salus.rb b/lib/salus.rb index 90544e99..af0abd7b 100644 --- a/lib/salus.rb +++ b/lib/salus.rb @@ -19,7 +19,7 @@ require 'salus/processor' module Salus - VERSION = '2.6.0'.freeze + VERSION = '2.6.1'.freeze DEFAULT_REPO_PATH = './repo'.freeze # This is inside the docker container at /home/repo. SafeYAML::OPTIONS[:default_mode] = :safe diff --git a/lib/salus/scanners/node_audit.rb b/lib/salus/scanners/node_audit.rb index 33927c65..133ae819 100644 --- a/lib/salus/scanners/node_audit.rb +++ b/lib/salus/scanners/node_audit.rb @@ -63,7 +63,7 @@ def run # For all advisories, prod = raw_advisories_for_id.any? do |raw_advisory| # any there there any instances in the prod dependency tree? - raw_advisory.fetch(:findings).any? { |finding| !finding.fetch(:dev) } + raw_advisory.fetch(:findings).any? { |finding| !finding.fetch(:dev, false) } end Advisory.new(id, module_name, title, severity, url, prod, excepted) diff --git a/spec/fixtures/integration/expected_report.json b/spec/fixtures/integration/expected_report.json index c0bc3184..75eb9663 100644 --- a/spec/fixtures/integration/expected_report.json +++ b/spec/fixtures/integration/expected_report.json @@ -1,5 +1,5 @@ { - "version": "2.6.0", + "version": "2.6.1", "passed": true, "running_time": 0.0, "scans": { diff --git a/spec/fixtures/npm_audit/failure-2/package-lock.json b/spec/fixtures/npm_audit/failure-2/package-lock.json new file mode 100644 index 00000000..b7e276da --- /dev/null +++ b/spec/fixtures/npm_audit/failure-2/package-lock.json @@ -0,0 +1,28 @@ +{ + "name": "www", + "version": "1.0.0", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "classnames": { + "version": "2.2.6", + "resolved": "https://registry.npmjs.org/classnames/-/classnames-2.2.6.tgz", + "integrity": "sha512-JR/iSQOSt+LQIWwrwEzJ9uk0xfN3mTVYMwt1Ir5mUcSN6pU+V4zQFFaJsclJbPuAUQH+yfWef6tm7l1quW3C8Q==" + }, + "mobx": { + "version": "3.6.2", + "resolved": "http://registry.npmjs.org/mobx/-/mobx-3.6.2.tgz", + "integrity": "sha512-Dq3boJFLpZEvuh5a/MbHLUIyN9XobKWIb0dBfkNOJffNkE3vtuY0C9kSDVpfH8BB0BPkVw8g22qCv7d05LEhKg==" + }, + "uglify-js": { + "version": "1.2.3", + "resolved": "http://registry.npmjs.org/uglify-js/-/uglify-js-1.2.3.tgz", + "integrity": "sha1-OwzmYxoo3KpkMCuJMSOyCHa9xTY=" + }, + "merge": { + "version": "1.2.0", + "resolved": "http://registry.npmjs.org/merge/-/merge-1.2.0.tgz", + "integrity": "sha1-" + } + } +} diff --git a/spec/fixtures/npm_audit/failure-2/package.json b/spec/fixtures/npm_audit/failure-2/package.json new file mode 100644 index 00000000..15aa82da --- /dev/null +++ b/spec/fixtures/npm_audit/failure-2/package.json @@ -0,0 +1,26 @@ +{ + "name": "www", + "version": "1.0.0", + "description": "Test package.json file.", + "main": "index.js", + "engines": { + "npm": ">= 4.0.0", + "node": ">= 6.9" + }, + "scripts": { + "test": "test" + }, + "repository": { + "type": "git", + "url": "test" + }, + "author": "", + "license": "ISC", + "dependencies": { + "classnames": "^2.2.5", + "mobx": "^3.2.1", + "uglify-js": "1.2.3", + "merge": "1.2.0" + } + } + \ No newline at end of file diff --git a/spec/fixtures/processor/local_uri/expected_report.json b/spec/fixtures/processor/local_uri/expected_report.json index b65bc2dc..f04ca9c7 100644 --- a/spec/fixtures/processor/local_uri/expected_report.json +++ b/spec/fixtures/processor/local_uri/expected_report.json @@ -1,5 +1,5 @@ { - "version": "2.6.0", + "version": "2.6.1", "passed": true, "running_time": 0.0, "scans": { diff --git a/spec/fixtures/processor/remote_uri/expected_report.json b/spec/fixtures/processor/remote_uri/expected_report.json index bd7cb9b5..b8cca927 100644 --- a/spec/fixtures/processor/remote_uri/expected_report.json +++ b/spec/fixtures/processor/remote_uri/expected_report.json @@ -1,5 +1,5 @@ { - "version": "2.6.0", + "version": "2.6.1", "passed": true, "running_time": 0.0, "scans": { diff --git a/spec/fixtures/yarn_audit/failure-2/package.json b/spec/fixtures/yarn_audit/failure-2/package.json new file mode 100644 index 00000000..15aa82da --- /dev/null +++ b/spec/fixtures/yarn_audit/failure-2/package.json @@ -0,0 +1,26 @@ +{ + "name": "www", + "version": "1.0.0", + "description": "Test package.json file.", + "main": "index.js", + "engines": { + "npm": ">= 4.0.0", + "node": ">= 6.9" + }, + "scripts": { + "test": "test" + }, + "repository": { + "type": "git", + "url": "test" + }, + "author": "", + "license": "ISC", + "dependencies": { + "classnames": "^2.2.5", + "mobx": "^3.2.1", + "uglify-js": "1.2.3", + "merge": "1.2.0" + } + } + \ No newline at end of file diff --git a/spec/fixtures/yarn_audit/failure-2/yarn.lock b/spec/fixtures/yarn_audit/failure-2/yarn.lock new file mode 100644 index 00000000..cc2c0a1c --- /dev/null +++ b/spec/fixtures/yarn_audit/failure-2/yarn.lock @@ -0,0 +1,18 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +classnames@^2.2.5: + version "2.2.6" + resolved "https://registry.yarnpkg.com/classnames/-/classnames-2.2.6.tgz#43935bffdd291f326dad0a205309b38d00f650ce" + integrity sha512-JR/iSQOSt+LQIWwrwEzJ9uk0xfN3mTVYMwt1Ir5mUcSN6pU+V4zQFFaJsclJbPuAUQH+yfWef6tm7l1quW3C8Q== + +mobx@^3.2.1: + version "3.6.2" + resolved "https://registry.yarnpkg.com/mobx/-/mobx-3.6.2.tgz#fb9f5ff5090539a1ad54e75dc4c098b602693320" + integrity sha512-Dq3boJFLpZEvuh5a/MbHLUIyN9XobKWIb0dBfkNOJffNkE3vtuY0C9kSDVpfH8BB0BPkVw8g22qCv7d05LEhKg== + +uglify-js@1.2.3: + version "1.2.3" + resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-1.2.3.tgz#3b0ce6631a28dcaa64302b893123b20876bdc536" + integrity sha1-OwzmYxoo3KpkMCuJMSOyCHa9xTY= diff --git a/spec/lib/salus/scanners/node_audit_spec.rb b/spec/lib/salus/scanners/node_audit_spec.rb index 4d26c65a..a1b630e0 100644 --- a/spec/lib/salus/scanners/node_audit_spec.rb +++ b/spec/lib/salus/scanners/node_audit_spec.rb @@ -34,6 +34,25 @@ useless_exceptions: [] ) end + + it 'should fail, recording advisory ids and npm output' do + repo = Salus::Repo.new("spec/fixtures/#{klass_snake_str}/failure-2") + scanner = klass_obj.new(repository: repo, config: {}) + scanner.run + + expect(scanner.report.passed?).to eq(false) + info = scanner.report.to_h.fetch(:info) + expect(info.key?(:stdout)).to eq(true) + expect(info).to include( + prod_advisories: %w[39 48 722], + dev_advisories: [], + unexcepted_prod_advisories: %w[39 48 722], + exceptions: [], + prod_exceptions: [], + dev_exceptions: [], + useless_exceptions: [] + ) + end end context 'no CVEs in package.json' do