From a63fea4d9d49b553bf9be6afe2203e81ba806825 Mon Sep 17 00:00:00 2001
From: Matthew B White <whitemat@uk.ibm.com>
Date: Thu, 7 Nov 2019 14:15:00 +0000
Subject: [PATCH] [FAB-13051] npm audit checks

As rush and pnpm are used, implement the npm audit
by instally the built artifacts to a fake directory with npm
and then running npm audit

Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
Change-Id: I9a621b8653a4dbcdd41c056398f21db173447f9f
---
 ci/azure-pipelines.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ci/azure-pipelines.yml b/ci/azure-pipelines.yml
index 214c8ceeb..9bb6a8ae8 100644
--- a/ci/azure-pipelines.yml
+++ b/ci/azure-pipelines.yml
@@ -180,6 +180,28 @@ stages:
               inputs:
                 pathToPublish: tools/toolchain/network/docker-compose/logs/docker.log
                 artifactName: nodeenv-docker-image    
+
+        # Job to handle the auditing of the code
+        # NPM audit is run on a 'fake' installation of the libraries
+        # Pulling in all the dependencies it will be able to run NPM AUDIT, and if that returns a
+        # error code the job will fail.
+        - job: src_audit
+          displayName: 'Node Module Auditing'
+          dependsOn: main
+          steps:
+            - task: NodeTool@0
+              inputs:
+                versionSpec: '10.x' 
+            - task: DownloadPipelineArtifact@2
+              inputs:
+                artifact: node-tgz 
+                path: $(Build.SourcesDirectory)/audit
+            - script: |              
+                cd $(Build.SourcesDirectory)/audit && npm init -y
+                npm install --save *.tgz
+                npm install
+                npm audit
+    
     # Publish tag for the Merge build of a regular PRi.e. w
     - stage: Publish_tag
       condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))