Refactoring audit proxy script to use JSON output

Adding decompress as a module exception
brave · ryanml · Mar 5, 2020 · Mar 5, 2020 · Mar 5, 2020 · 6c362538b759305091a92e64ec9dc256da3a9c8b
commit 6c362538b759305091a92e64ec9dc256da3a9c8b
diff --git a/scripts/audit.js b/scripts/audit.js
@@ -1,32 +1,69 @@
-const execSync = require('child_process').execSync
-
-// Yarn audit status codes:
-//
-// Only moderate warnings and above should be taken in to consideration
-//
-// 1 - INFO
-// 2 - LOW
-// 4 - MODERATE
-// 8 - HIGH
-// 16 - CRITICAL
+const { execSync } = require('child_process')
+
+const prettyPrint = (advisories) => {
+  advisories.forEach(({ severity, module_name }) => {
+    console.log(`
+      Module Name: ${module_name}
+      Severity: ${severity}
+    `)
+  })
+}
 
 try {
-  return execSync('yarn audit')
+  return execSync('yarn audit --json')
 } catch (e) {
-  const stdout = e.stdout.toString()
+  const stdoutRaw = e.stdout.toString()
+  const JSONLines = stdoutRaw.split('\n')
 
-  if (e.status >= 4) {
-    console.log(stdout)
-    throw new Error('Moderate or higher vulnerabilities found during yarn audit')
+  const advisoryCount = {
+    'low': 0,
+    'moderate': 0,
+    'high': 0
   }
+  // Approved exceptions only, in cases where
+  // both a patch will likely not be available
+  // and where the actual risk is low.
+  const exceptions = ['decompress']
+
+  // There is erroneous data that is not valid JSON that
+  // yarn can produce, as they do not echo out a valid JSON
+  // blob with this flag. Its format is json-lines as opposed
+  // to pure JSON
+  const advisories = JSONLines.filter((line) => {
+    try {
+      JSON.parse(line)
+    } catch { return false }
+    return true
+  // Extra data.advisory for later convenience
+  }).map((line) => {
+    return JSON.parse(line).data.advisory
+  // Filter out exceptions
+  }).filter((item) => {
+    return item && !exceptions.includes(item['module_name'])
+  })
 
-  const numLowVulns = stdout.match(/Package\b/g).length
+  // Set advisory counts
+  advisories.forEach(({ severity }) => {
+    advisoryCount[severity] = ++advisoryCount[severity]
+  })
 
-  if (numLowVulns >= 10) {
-    console.log(stdout)
-    throw new Error(`10 or more low vulnerabilities identified`)
+  // If there are any moderate or high vulnerabilities, fail.
+  if (advisoryCount.moderate || advisoryCount.high) {
+    prettyPrint(advisories)
+    throw new Error('Moderate or higher vulnerabilities found during yarn audit')
+  }
+
+  // If there are 10 or more low vulneravilities, fail.
+  if (advisoryCount.low >= 10) {
+    prettyPrint(advisories)
+    throw new Error('10 or more low vulnerabilities identified')
   }
 
+  // Extra info
+  (({ low, moderate, high }) => {
+    console.log(`Advisory counts: Low: ${low}, Moderate: ${moderate}, High: ${high}`)
+  })(advisoryCount)
+
   console.log('-'.repeat(30))
   console.log('Audit complete')
   console.log('-'.repeat(30))