Yarn: Allow `yarn audit` issues to be suppressed

Created on 13 Nov 2018 · 8Comments · Source: yarnpkg/yarn

Do you want to request a feature or report a bug?

feature

What is the current behavior?
yarn audit will report all issues and there is no way to suppress an issue that does not impact your code base.

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?
Users can maintain a file like .nsprc or .snyk to suppress various issues. This allows users to investigate and suppress issues that don't impact the code base or for which there is no current solution. This would also allow CI to be used to highlight new issues reported against the code base.

Ideally the report should be able to be:
1) Suppressed
2) Suppressed for a period

Please mention your node.js, yarn and operating system version.

$ node --version
v8.12.0
$ yarn --version
1.12.3
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.14.1
BuildVersion:   18B75

cat-feature

Source

dwaynebailey

👍39

Most helpful comment

For anyone who needs to work around this now, we're using this:

set +e
yarn audit
result=$?
set -e

if [ "$result" != 0 ]; then
  if [ -f yarn-audit-known-issues ]; then
    set +e
    yarn audit --json | grep auditAdvisory > yarn-audit-issues
    set -e

    if diff -q yarn-audit-known-issues yarn-audit-issues > /dev/null 2>&1; then
      echo
      echo Ignorning known vulnerabilities
      exit 0
    fi
  fi

  echo
  echo Security vulnerabilities were found that were not ignored
  echo
  echo Check to see if these vulnerabilities apply to production
  echo and/or if they have fixes available. If they do not have
  echo fixes and they do not apply to production, you may ignore them
  echo
  echo To ignore these vulnerabilities, run:
  echo
  echo "yarn audit --json | grep auditAdvisory > yarn-audit-known-issues"
  echo
  echo and commit the yarn-audit-known-issues file

  exit "$result"
fi

aaronjensen on 14 Feb 2019

🎉8 👍2 ❤1

All 8 comments

Can #6632 be rolled into this feature?

johnmccabe on 27 Nov 2018

There's work in progress to integrate https://www.npmjs.com/package/npm-audit-resolver (which extends npm audit to do exactly this sort of thing) into npm, but it only works for npm-generated lockfiles. It would be awesome to have that same functionality for yarn lockfiles.

pfaffle on 28 Nov 2018

👍4

For anyone who needs to work around this now, we're using this:

set +e
yarn audit
result=$?
set -e

if [ "$result" != 0 ]; then
  if [ -f yarn-audit-known-issues ]; then
    set +e
    yarn audit --json | grep auditAdvisory > yarn-audit-issues
    set -e

    if diff -q yarn-audit-known-issues yarn-audit-issues > /dev/null 2>&1; then
      echo
      echo Ignorning known vulnerabilities
      exit 0
    fi
  fi

  echo
  echo Security vulnerabilities were found that were not ignored
  echo
  echo Check to see if these vulnerabilities apply to production
  echo and/or if they have fixes available. If they do not have
  echo fixes and they do not apply to production, you may ignore them
  echo
  echo To ignore these vulnerabilities, run:
  echo
  echo "yarn audit --json | grep auditAdvisory > yarn-audit-known-issues"
  echo
  echo and commit the yarn-audit-known-issues file

  exit "$result"
fi

aaronjensen on 14 Feb 2019

🎉8 👍2 ❤1

How is this not a thing yet?!

danielwhatmuff on 26 Sep 2019

👍10

@AaronHarris Thank you very much for your snippet! I've modified your version to avoid run audit twice and create temporary file:

#!/bin/bash

# workaround for missing feature
# https://github.com/yarnpkg/yarn/issues/6669

set -u

set +e
output=$(yarn audit --json)
result=$?
set -e

if [ $result -eq 0 ]; then
    # everything is fine
    exit 0
fi

if [ -f yarn-audit-known-issues ] && echo "$output" | grep auditAdvisory | diff -q yarn-audit-known-issues - > /dev/null 2>&1; then
    echo
    echo Ignorning known vulnerabilities
    exit 0
fi

echo
echo Security vulnerabilities were found that were not ignored
echo
echo Check to see if these vulnerabilities apply to production
echo and/or if they have fixes available. If they do not have
echo fixes and they do not apply to production, you may ignore them
echo
echo To ignore these vulnerabilities, run:
echo
echo "yarn audit --json | grep auditAdvisory > yarn-audit-known-issues"
echo
echo and commit the yarn-audit-known-issues file
echo
echo "$output" | grep auditAdvisory | python -mjson.tool

exit "$result"

Bessonov on 7 Nov 2019

@Bessonov That's great, thanks. We've put this into a CircleCI orb, for any using CircleCI: https://github.com/substantial/circleci-orbs/blob/master/yarn.yml

It includes a fail-safe for when yarn/npm servers are down so that builds don't fail in that case. If anyone wants to PR Bessonov's changes, that'd be great.

aaronjensen on 11 Nov 2019

FYI there's a PR open for this https://github.com/yarnpkg/yarn/pull/8223

timja on 14 Jul 2020

To fix this issue i have opened PR #8368, the PR fails but it seems unrelated to my changes (as other prs seem to fail on the same). If somebody can give feedback/review so i can change anything if needed that would be great.