[feat] yarn audit

[rally25rs]

Do you want to request a feature or report a bug?

feature

What is the current behavior?

npm added audit to warn about packages with known security issues. There was some conversation about this previously and one of the core npm folks said the API was likely to be open/public to pull this info. Therefore, yarn should be able to add this feature.

What is the expected behavior?

• Add a yarn audit command that mimics npm audit
• Add warnings when adding/installing packages with known issues.

Please mention your node.js, yarn and operating system version.

This would be a minor version bump, so likely target yarn v1.7.0 or v1.8.0 depending on timing.
This is probably too important to wait for v2.0.

[batjko]

One thing that yarn could do, is improve on the concept. npm audit's output and configurability is somewhat basic right now.

Perhaps yarn could add some interactivity, allowing the user to automatically update packages, as long as the suggested version is just a semver patch update.

Also definitely useful would be different types of output (html, json, csv, or similar console outputs to test or lint runners etc.)

I'm sure there are more ways yarn can add a bunch of value here.

[chapati23]

Would love yarn to add this. We're currently using snyk.io for vulnerability management but I've never been 100% happy with it as it always felt like something that should be more integrated.

Was super excited when I heard that npm added the audit command. But also super disappointed when I realized that it only works with a corresponding package-lock.json, which would basically mean for us to either drop yarn completely and go back to npm. Or use both tools, which already sounds like a recipe for horrible merge-conflicts and syncing-hell between the two lock-files.

[Hypnosphi]

horrible merge-conflicts

Right now both yarn and npm are able to autoresolve the lockfile conflicts

syncing-hell

Yeah, that's the real problem

[shinriyo]

yarn is upward compatibility to npm.
I hope yarn should support audit option officially!

[Hypnosphi]

Unfortunately, any new command addition is a breaking change for yarn, because of yarn scriptName shortcut

[batjko]

Unfortunately, any new command addition is a breaking change for yarn, because of yarn scriptName shortcut

I don't see how.
npm start, for example, has a default behavior which kicks in if no explicit script for it is defined in package.json.
So if someone has yarn audit already defined, it will simply override the default which would be npm's audit. E.g.:

"scripts": {
  "start": "echo 'this will override the default behavior of npm start'",
  "audit": "echo 'my custom audit script will now be used'"
}

[Hypnosphi]

Ok I see

[rally25rs]

I haven't had time to actually implement anything here yet, so if anyone has free time, help is appreciated. Here are some notes from capturing the network traffic from npm:

---

After all manifests metadata is loaded and before any .tgz packages are downloaded, npm makes a new request:

POST https://registry.npmjs.org/-/npm/v1/security/audits/quick

headers:

connection: keep-alive
user-agent: npm/6.0.1 node/v8.11.2 win32 x64
npm-in-ci: false
npm-scope: 
npm-session: 4e017f155c654f93
referer: undefined
content-type: application/json
content-type: application/octet-stream
authorization: Bearer {removed}
accept: */*
content-length: 654
accept-encoding: gzip,deflate
Host: registry.npmjs.org

request body:

{
  "name": "demo-npm",
  "version": "1.0.0",
  "requires": {
    "moment": "^2.10.5",
    "minimatch": "^1.0.0"
  },
  "dependencies": {
    "lru-cache": {
      "version": "2.7.3",
      "integrity": "sha1-bUUk6LlV+V1PW1iFHOId1y+06VI="
    },
    "minimatch": {
      "version": "1.0.0",
      "integrity": "sha1-4N0hILSeG3JM6NcUxSCCKpQ4V20=",
      "requires": {
        "lru-cache": "2",
        "sigmund": "~1.0.0"
      }
    },
    "moment": {
      "version": "2.22.1",
      "integrity": "sha512-shJkRTSebXvsVqk56I+lkb2latjBs8I+pc2TzWc545y2iFnSjm7Wg0QMh+ZWcdSLQyGEau5jI8ocnmkyTgr9YQ=="
    },
    "sigmund": {
      "version": "1.0.1",
      "integrity": "sha1-P\/IfGYytIXX587eBhT\/ZTQ0ZtZA="
    }
  },
  "install": [
    "minimatch@1.0.0"
  ],
  "remove": [
    
  ],
  "metadata": {
    "npm_version": "6.0.1",
    "node_version": "v8.11.2",
    "platform": "win32"
  }
}

response headers:

content-type: application/json; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
Cache-Control: max-age=300
Accept-Ranges: bytes
Date: Sun, 20 May 2018 21:25:49 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-mdw17321-MDW
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526851550.558067,VS0,VE246
Vary: Accept-Encoding, Accept
Content-Length: 1605

response body:

{
  "actions": [
    
  ],
  "advisories": {
    "118": {
      "findings": [
        {
          "version": "1.0.0",
          "paths": [
            "minimatch"
          ],
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 118,
      "created": "2016-05-25T16:37:20.000Z",
      "updated": "2018-03-01T21:58:01.072Z",
      "deleted": null,
      "title": "Regular Expression Denial of Service",
      "found_by": {
        "name": "Nick Starke"
      },
      "reported_by": {
        "name": "Nick Starke"
      },
      "module_name": "minimatch",
      "cves": [
        "CVE-2016-10540"
      ],
      "vulnerable_versions": "<=3.0.1",
      "patched_versions": ">=3.0.2",
      "overview": "Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\n\n\n## Proof of Concept\n```\nvar minimatch = require(\u201cminimatch\u201d);\n\n\/\/ utility function for generating long strings\nvar genstr = function (len, chr) {\n  var result = \u201c\u201d;\n  for (i=0; i<=len; i++) {\n    result = result + chr;\n  }\n  return result;\n}\n\nvar exploit = \u201c[!\u201d + genstr(1000000, \u201c\\\\\u201d) + \u201cA\u201d;\n\n\/\/ minimatch exploit.\nconsole.log(\u201cstarting minimatch\u201d);\nminimatch(\u201cfoo\u201d, exploit);\nconsole.log(\u201cfinishing minimatch\u201d);\n```",
      "recommendation": "Update to version 3.0.2 or later.",
      "references": "",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "Multi.Library",
        "exploitability": 4,
        "affected_components": "Internal::Code::Function::minimatch({type:'args', key:0, vector:{type:'string'}})"
      }
    }
  },
  "muted": [
    
  ],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 1,
      "critical": 0
    },
    "dependencies": 4,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 4
  }
}

---

The request includes the integrity for each package, but I'm not sure how that is generated or if yarn already figures that out somewhere.

---

In addition to that, manually running the yarn audit command does:

request headers:

POST https://registry.npmjs.org/-/npm/v1/security/audits

connection: keep-alive
user-agent: npm/6.0.1 node/v8.11.2 win32 x64
npm-in-ci: false
npm-scope: 
npm-session: 686c3e1b85b7d5d2
referer: undefined
content-encoding: gzip
content-type: application/json
content-type: application/octet-stream
authorization: Bearer {removed}
accept: */*
content-length: 401
accept-encoding: gzip,deflate
Host: registry.npmjs.org

request body:

{
  "name": "demo-npm",
  "version": "1.0.0",
  "requires": {
    "minimatch": "^1.0.0",
    "moment": "^2.10.5"
  },
  "dependencies": {
    "lru-cache": {
      "version": "2.7.3",
      "integrity": "sha1-bUUk6LlV+V1PW1iFHOId1y+06VI="
    },
    "minimatch": {
      "version": "1.0.0",
      "integrity": "sha1-4N0hILSeG3JM6NcUxSCCKpQ4V20=",
      "requires": {
        "lru-cache": "2",
        "sigmund": "~1.0.0"
      }
    },
    "moment": {
      "version": "2.22.1",
      "integrity": "sha512-shJkRTSebXvsVqk56I+lkb2latjBs8I+pc2TzWc545y2iFnSjm7Wg0QMh+ZWcdSLQyGEau5jI8ocnmkyTgr9YQ=="
    },
    "sigmund": {
      "version": "1.0.1",
      "integrity": "sha1-P\/IfGYytIXX587eBhT\/ZTQ0ZtZA="
    }
  },
  "install": [
    
  ],
  "remove": [
    
  ],
  "metadata": {
    "npm_version": "6.0.1",
    "node_version": "v8.11.2",
    "platform": "win32"
  }
}

response headers:

content-type: application/json; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
Cache-Control: max-age=300
Accept-Ranges: bytes
Date: Sun, 20 May 2018 21:26:06 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-mdw17381-MDW
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1526851566.039865,VS0,VE325
Vary: Accept-Encoding, Accept
Content-Length: 1766

response body:

{
  "actions": [
    {
      "action": "install",
      "module": "minimatch",
      "target": "3.0.4",
      "isMajor": true,
      "resolves": [
        {
          "id": 118,
          "path": "minimatch",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "118": {
      "findings": [
        {
          "version": "1.0.0",
          "paths": [
            "minimatch"
          ],
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "id": 118,
      "created": "2016-05-25T16:37:20.000Z",
      "updated": "2018-03-01T21:58:01.072Z",
      "deleted": null,
      "title": "Regular Expression Denial of Service",
      "found_by": {
        "name": "Nick Starke"
      },
      "reported_by": {
        "name": "Nick Starke"
      },
      "module_name": "minimatch",
      "cves": [
        "CVE-2016-10540"
      ],
      "vulnerable_versions": "<=3.0.1",
      "patched_versions": ">=3.0.2",
      "overview": "Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\n\n\n## Proof of Concept\n```\nvar minimatch = require(\u201cminimatch\u201d);\n\n\/\/ utility function for generating long strings\nvar genstr = function (len, chr) {\n  var result = \u201c\u201d;\n  for (i=0; i<=len; i++) {\n    result = result + chr;\n  }\n  return result;\n}\n\nvar exploit = \u201c[!\u201d + genstr(1000000, \u201c\\\\\u201d) + \u201cA\u201d;\n\n\/\/ minimatch exploit.\nconsole.log(\u201cstarting minimatch\u201d);\nminimatch(\u201cfoo\u201d, exploit);\nconsole.log(\u201cfinishing minimatch\u201d);\n```",
      "recommendation": "Update to version 3.0.2 or later.",
      "references": "",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "Multi.Library",
        "exploitability": 4,
        "affected_components": "Internal::Code::Function::minimatch({type:'args', key:0, vector:{type:'string'}})"
      }
    }
  },
  "muted": [
    
  ],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 1,
      "critical": 0
    },
    "dependencies": 4,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 4
  }
}

[rally25rs]

Discovered that the integrity may be returned by the registry for newer packages in the metadata under versions[version_number].dist.integrity

When that does not exist, the npm lockfile docs says "the sha1 in shasum" but I haven't quite figured out how that is generated.

https://github.com/zkat/pacote/blob/ccc6e9094c2e872f09cc12ae966a0cbc1a570eed/lib/finalize-manifest.js#L100 leads me to believe that npm generates the missing integrity from the tarball, but watching network traffic, it has not yet downloaded the tarball 🤔

@zkat @imsnif can you provide any details as to how this works? (just asking is probably a lot easier than me hunting through the code 😄I appreciate any help!)