nodejs
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
node/tools/dep_checker
History
Facundo Tuesca 994081f914
tools: update undici CPE in vuln checking script 
This changes the search method for `undici` on the NVD database.
Before, since `undici` did not have a CPE assigned, the search
was by keyword. Now that a CPE was assigned, it is used to query
for new vulnerabilities.

PR-URL: https://github.com/nodejs/node/pull/44128
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
 		2022-08-06 10:39:58 +00:00
..
README.md tools: add support for using API key to vuln checking script 2022-07-21 11:44:30 -04:00
dependencies.py tools: update undici CPE in vuln checking script 2022-08-06 10:39:58 +00:00
main.py tools: add support for using API key to vuln checking script 2022-07-21 11:44:30 -04:00
requirements.txt tools: add support for using API key to vuln checking script 2022-07-21 11:44:30 -04:00
versions_parser.py tools: add script for vulnerability checking 2022-07-12 15:01:43 -04:00

README.md

Node.js dependency vulnerability checker

This script queries the National Vulnerability Database (NVD) and the GitHub Advisory Database for vulnerabilities found in Node's dependencies.

How to use

Database authentication

  • In order to query the GitHub Advisory Database, a Personal Access Token has to be created (no permissions need to be given to the token, since it's only used to query the public database).
  • The NVD can be queried without authentication, but it will be rate limited to one query every six seconds. In order to remove that limitation request an API key and pass it as a parameter.

Running the script

Once acquired, the script can be run as follows:

cd node/tools/dep_checker/
pip install -r requirements.txt

# Python >= 3.9 required
python main.py --gh-token=$PERSONAL_ACCESS_TOKEN --nvd-key=$NVD_API_KEY

# The command can also be run without parameters
# This will skip querying the GitHub Advisory Database, and query the NVD
# using the anonymous (rate-limited) API
python main.py

Example output

WARNING: New vulnerabilities found
- npm (version 1.2.1) :
	- GHSA-v3jv-wrf4-5845: https://github.com/advisories/GHSA-v3jv-wrf4-5845
	- GHSA-93f3-23rq-pjfp: https://github.com/advisories/GHSA-93f3-23rq-pjfp
	- GHSA-m6cx-g6qm-p2cx: https://github.com/advisories/GHSA-m6cx-g6qm-p2cx
	- GHSA-4328-8hgf-7wjr: https://github.com/advisories/GHSA-4328-8hgf-7wjr
	- GHSA-x8qc-rrcw-4r46: https://github.com/advisories/GHSA-x8qc-rrcw-4r46
	- GHSA-m5h6-hr3q-22h5: https://github.com/advisories/GHSA-m5h6-hr3q-22h5
- acorn (version 6.0.0) :
	- GHSA-6chw-6frg-f759: https://github.com/advisories/GHSA-6chw-6frg-f759

For each dependency and vulnerability, check the following:
- Check the vulnerability's description to see if it applies to the dependency as
used by Node. If not, the vulnerability ID (either a CVE or a GHSA) can be added to the ignore list in
dependencies.py. IMPORTANT: Only do this if certain that the vulnerability found is a false positive.
- Otherwise, the vulnerability found must be remediated by updating the dependency in the Node repo to a
non-affected version.

Implementation details

  • For each dependency in Node's deps/ folder, the script parses their version number and queries the databases to find vulnerabilities for that specific version.
  • The queries can return false positives ( see this comment for an example). These can be ignored by adding the vulnerability to the ignore_list in dependencies.py
  • If no NVD API key is provided, the script will take a while to finish (~2 min) because queries to the NVD are rate-limited
  • If any vulnerabilities are found, the script returns 1 and prints out a list with the ID and a link to a description of the vulnerability. This is the case except when the ID matches one in the ignore-list (inside dependencies.py) in which case the vulnerability is ignored.