Add vulnerability ID to regular and verbose output

[fwielstra]

Running auditjs naively in my project gives me an exit code of 3 and one security issue (sockjs/sockjs-node#217). Since this is not used in production for our application (tracing the dependency points to express and webpack-dev-server), I'd like to disable it.

The guide says to run auditjs -r, however when I do that, this issue is not output in the resulting xml file. The output also seems to report a lot more security issues than running without arguments. Probably also listing vulnerabilities that do not apply, so, safe enough I guess.

Running auditjs -v outputs all of the vulnerabilities, but without IDs again.

So a few things:

• Issue is not reported (anymore) when running auditjs -r
• xml output breaks when json contains a >, e.g. in vulnerability with ID 8402848607
• ID is not displayed in regular output

[OSSIndex-Admin]

Thanks for the request. I will look into the issues this week and will get a new version out as soon as possible.

[OSSIndex-Admin]

I have added the --suppressExitError option which causes the tool to exit with a "0" exit code (unless something tragic happens causing catastrophic failure).

The vulnerability IDs are always reported in the standard output.

I have not yet fixes the XML output, though I will see about fixing that soon (ish).

---

I expect that at some point in the future I will rewrite the command line arguments, probably a version 3.0. At that time I will keep the current interface so as not to break any integrations, but will provide a cleaner interface at the same time. This will hopefully clean some things up. Till then I will be providing command line options for users looking for different behaviours.

[thom-nic]

The vulnerability IDs are always reported in the standard output.

Here's an example from stdout, I don't see what part of this is the vulnerability ID:

[151/153] sqlite3 3.1.13  [VULNERABLE]   1 known vulnerabilities, 1 affecting installed version

Man in the Middle (MitM)
> npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
> 
> -- [nodesecurity.io](https://nodesecurity.io/advisories/297)

Affected versions: >=0
References:
  * https://github.com/mapbox/node-sqlite3/blob/7322ea714b13451bab75d5232a1dd2a05fcb5052/scripts/build_for_node_webkit.cmd#L8
  * https://nodesecurity.io/advisories/297
------------------------------------------------------------

[OSSIndex-Admin]

That is definitely not the output I expect. Just before "Affected Versions" you should see an "ID: 12345" line. What version of auditjs are you using. I will double check to ensure I published properly, and if so I will look to see if I missed something.

[thom-nic]

$ auditjs --version
2.2.5

I just updated to v2.2.8 and now I see it:

------------------------------------------------------------
[151/153] sqlite3 3.1.13  [VULNERABLE]   1 known vulnerabilities, 1 affecting installed version

Man in the Middle (MitM)
> npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
> 
> -- [nodesecurity.io](https://nodesecurity.io/advisories/297)

ID: 8402283578
Affected versions: >=0
References:
  * https://github.com/mapbox/node-sqlite3/blob/7322ea714b13451bab75d5232a1dd2a05fcb5052/scripts/build_for_node_webkit.cmd#L8
  * https://nodesecurity.io/advisories/297
------------------------------------------------------------

Thanks!

[OSSIndex-Admin]

Awesome. My pleasure. Thanks for the feedback and help!