@quasar/quasar-app-extension-testing-security-antivuln
A Quasar App Extension for checking that no packages are vulnerability threats
Last updated a year ago by nothingismagick .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install @quasar/quasar-app-extension-testing-security-antivuln 
SYNC missed versions from official npm registry.

@quasar/testing-security-antivuln

This testing app extension will scan your installed dependencies (the entire chain) and compare them with the list of advisories found here: https://www.npmjs.com/advisories warning you if any are unsafe.

Install

Installation should be done via the @quasar/testing mono repo using

quasar ext add @quasar/testing

Then selecting the Security Anti-Vulnerability harness. If you do need to install this application extension on independantly you can use:

quasar ext add @quasar/testing-security-antivuln

Quasar CLI will retrieve it from NPM and install the extension.

Prompts

This app extension will prompt for 3 options:

  • Scan when running quasar dev - Enabling this will cause the scan to run when you run quasar dev
  • Scan when running quasar build - Enabling this will cause the scan to run when you run quasar build
  • Strict Mode - If enabled and if vulnerabilities are found, script execution will stop when runOnDev and / or runOnBuild are true.

Uninstall

If installed via @quasar/testing then just run the install again and don't select the Security Anti-Vulnerability harness.

If installed direct, run:

quasar ext remove @quasar/testing-security-antivuln

Running

quasar test --security antivuln

Testing

If you would like to test the output / how this works. You can add any package that exists in the NPM Advisory List for instance:

yarn add ids-enterprise@4.18.0

When you've added this package to your project, run:

quasar test --security antivuln

And you will see output similar to (albeit with a little more color):

Security Alert: [high] [ids-enterprise]
  Type: Cross-Site Scripting
  Advisory Version: <4.18.2
  Current version: 4.18.0
  Recommendation: Upgrade to version 4.18.2 or later
  Url: https://npmjs.com/advisories/957
  Detail: Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.

#####IMPORTANT

Remember to remove the unsafe package you've added for testing.

Output

Once the test has run, output will be saved to

your-application-folder/test/audits/security/antivuln/bad.packages.result.json

The output will be similar to (or exactly the same if you're following the Testing section above):

{
  "status": "fail",
  "runAt": 1560426465,
  "totalAdvisories": 1,
  "advisories": [
    {
      "name": "ids-enterprise",
      "version": "<4.18.2",
      "title": "Cross-Site Scripting",
      "recommendation": "Upgrade to version 4.18.2 or later",
      "severity": "high",
      "overview": "Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.",
      "url": "https://npmjs.com/advisories/957",
      "currentVersion": "4.18.0"
    }
  ]
}

Possible Roadmap

  • Fix option
  • HTML bad package browser.

Patreon

If you like (and use) this App Extension, please consider becoming a Quasar Patreon.

Current Tags

  • 1.0.0-alpha.2                                ...           latest (a year ago)

2 Versions

  • 1.0.0-alpha.2                                ...           a year ago
  • 1.0.0-alpha.1                                ...           a year ago
Downloads
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 0
Last Month 0
Dependencies (3)
Dev Dependencies (1)
Dependents (0)
None

Copyright 2014 - 2016 © taobao.org |