Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Whitelist entries should (optionally) be time-limited #258

Open
wilsonwaters opened this issue Jul 11, 2022 · 1 comment · May be fixed by #259
Open

[FEATURE] Whitelist entries should (optionally) be time-limited #258

wilsonwaters opened this issue Jul 11, 2022 · 1 comment · May be fixed by #259
Labels
enhancement

Comments

@wilsonwaters
Copy link

  • What are you trying to do?
    We occasionally add whitelist entries for vulnerabilities which don't have a current solution, but are likely to be resolved by package maintainers at some point in the future. The risk in adding a whitelist entry is we will undoubtedly forget to come back and fix the issue / upgrade packages once the vulnerability has been resolved.

  • What feature or behavior is this required for?
    Often CI/CD pipelines will run auditjs and prevent deployment if there are vulnerabilities. Sometimes a whitelist entry is required to ensure development can continue. However, we want to minimise our risk and force a whitelist review, instead of "set and forget".

  • How could we solve this issue? (Not knowing is okay!)
    We could have a global option lastReviewDate to force a regular review of whitelist entries, however this doesn't seem granular enough. There may be vulnerabilities which we want to permanently ignore, and others that we know the expected fix date. Hence, adding an optional lastReviewDate field to whitelist entries.

  • Anything else?
    I've implemented this and will create a PR for review.

cc @bhamail / @DarthHater / @allenhsieh / @ken-duck
@wilsonwaters wilsonwaters linked a pull request Jul 11, 2022 that will close this issue
Open
@wilsonwaters
Copy link
Author

Amusingly, the same prompt for us to create this PR is also affecting the auditjs build itself!
image
The node-fetch package has a vulnerability which is causing the build to fail. There's no fix in node-fetch yet. Rather than simply adding a whitelist entry and forgetting about it, it would be better to add the whitelist entry with a reviewDate which will force us to revisit this at a later date and see if the vulnerability has been resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

added whitelist reviewDate feature wilsonwaters/auditjs
1 participant
@wilsonwaters