Yarn: Limit severity in `yarn audit` to reduce noise
Do you want to request a feature or report a bug?
feature
What is the current behavior?
yarn audit will report all security vulnerabilities at all levels of severity.
If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
Alll something like --level to limit the level of severity that you are concerned about. Thus --level medium would only report vulnerabilities that are high and medium. This allow you to focus on issue that are of greatest concern and removes the noise from issues that you are not currently concerned about.
Please mention your node.js, yarn and operating system version.
$ node --version
v8.12.0
$ yarn --version
1.12.3
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.1
BuildVersion: 18B75
dwaynebailey
All 8 comments
Hey, can I try to solve this issue ? :)
karol-kielbasa
on 14 Nov 2018
@karol-kielbasa Any help is always appreciated. Feel free to submit a PR. If you need any help you can reach out in the Discord channel. Thanks! 馃帀
rally25rs
on 16 Nov 2018
Yes, definitely an important feature. Getting package maintainers to address their low vulnerability issues is gonna be a bit of work -- but yarn treats them all the same so an exit code of >0 tells me nothing about the severity of the vulnerability. As it is I have to remove any audit check from my build pipeline.
jcollum-nike
on 11 Dec 2018
Ended up making a bash script to deal with this. Considered just going back to npm since other teams here have said that the npm audit is better.
#!/usr/bin/env bash
# run yarn audit, check the number of lines that have 'high' on
# them in the output table, meaning high vulnerability
if [[ $(yarn audit | grep "high" | wc -l | tr -d ' ') -gt 0 ]]; then
echo "high vulnerability found"
exit 1
else
exit 0
fi
I'd like to get that into one line in my package.json. Messed with it for a while, didn't get it to work.
It also will break if there's a low/moderate vulnerability in a package named "high" so _caveat emptor_.
jcollum-nike
on 11 Dec 2018
I ended up with this solution. Far from perfect but it does the job for now.
security-check.js:
/* eslint-disable */
const { exec } = require('child_process');
(function runAudit() {
exec('yarn audit', (error, stdout, stderr) => {
console.log(stdout);
if (error) {
const lines = stdout.split('\n');
for (let i = 0; i < lines.length; i++) {
if (lines[i].startsWith('Severity: ') && lines[i].includes('High')) {
throw new Error('Security check failed');
} else if (lines[i].startsWith('Severity: ') && !lines[i].includes('High')) {
return;
}
}
throw new Error(`Some error occured:\n${stderr}`)
}
});
}());
and in my package.json:
"security-check": "node ./scripts/security-check.js",
From the CI you can now call simply with yarn security-check
atkiss
on 14 Dec 2018
I modified @atkiss 's solution a little as it wasn't working for me;
/* eslint-disable */
const { exec } = require('child_process');
(function runAudit() {
exec('yarn audit --summary', (error, stdout, stderr) => {
console.log(stdout);
if (error) {
const lines = stdout.split('\n');
for (let i = 0; i < lines.length; i++) {
if (lines[i].indexOf("High") >= 0
|| lines[i].indexOf("Critical") >= 0) {
throw new Error('Security check failed');
}
}
}
});
}());
Really hope this feature comes out soon. It is a pain to use yarn audit in a CI/CD system when even a low severity issue stops the process.
stephan-nordnes-eriksen
on 7 Jan 2019
Following this merge we can use error.code instead:
const { exec } = require('child_process');
exec('yarn audit --summary', (error, stdout) => {
console.log(stdout);
if (error && error.code >= 16) {
throw new Error('Critical vulnerabilities found');
}
});
dubbha
on 27 Feb 2019
https://github.com/IBM/audit-ci might be useful
binarykitchen
on 8 Mar 2019
Related issues
Ambroos
路
3Comments
seansfkelley
路
3Comments
ocolot
路
3Comments
torifat
路
3Comments
bouk
路
3Comments
Most helpful comment
https://github.com/IBM/audit-ci might be useful