adding registry to the audit config file gives false positive
Closed this issue · 2 comments
greg-murray-volusion commented
With registry set in the config file, per the example documentation, the audit passes
{
"high": true,
"registry": "https://registry.npmjs.org"
}
```bash
> npx audit-ci --config .auditconfig.json
npx: installed 47 in 4.192s
audit-ci version: 3.1.1
NPM audit report results:
{
"advisories": {},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 3,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 414,
"devDependencies": 981,
"optionalDependencies": 14,
"totalDependencies": 1399
}
}
Passed npm security audit.
However, if I either remove the registry from the config file or just run audit-ci directly, it catches a high severity warning
npx audit-ci --high
...
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 3,
"moderate": 7,
"high": 1,
"critical": 0
},
"dependencies": 414,
"devDependencies": 981,
"optionalDependencies": 14,
"totalDependencies": 1399
}
}
Failed security audit due to high vulnerabilities.
Vulnerable advisories are: 130032
Exiting...
quinnturner commented
I am trying to reproduce, here's my result:
Config file:
{
"registry": "https://registry.npmjs.org",
"high": true
}
package.json
:
{
"name": "audit-ci-npm-high-vulnerability",
"description": "Test package.json with high vulnerability",
"dependencies": {
// low
"micromatch": "2.3.0",
// high
"cryo": "0.0.6"
}
}
Result:
➜ npm-high git:(pr/171) ✗ npx audit-ci --config ./config.json
npx: installed 47 in 4.715s
audit-ci version: 3.1.1
NPM audit report results:
{
"advisories": {
"690": {
"findings": [
{
"version": "0.0.6",
"paths": [
"cryo"
]
}
],
"id": 690,
"created": "2018-08-16T19:50:35.895Z",
"updated": "2019-06-24T23:04:26.491Z",
"deleted": null,
"title": "Code Injection",
"found_by": {
"link": "",
"name": "Alexey Tyurin"
},
"reported_by": {
"link": "",
"name": "Alexey Tyurin"
},
"module_name": "cryo",
"cves": [
"CVE-2018-3784"
],
"vulnerable_versions": ">=0.0.0",
"patched_versions": "<0.0.0",
"overview": "All versions of `cryo` are vulnerable to code injection due to an Insecure implementation of deserialization.\n\n\n## Proof of concept\n\n```\nvar Cryo = require('cryo');\nvar frozen = '{\"root\":\"_CRYO_REF_3\",\"references\":[{\"contents\":{},\"value\":\"_CRYO_FUNCTION_function () {console.log(\\\\\"defconrussia\\\\\"); return 1111;}\"},{\"contents\":{},\"value\":\"_CRYO_FUNCTION_function () {console.log(\\\\\"defconrussia\\\\\");return 2222;}\"},{\"contents\":{\"toString\":\"_CRYO_REF_0\",\"valueOf\":\"_CRYO_REF_1\"},\"value\":\"_CRYO_OBJECT_\"},{\"contents\":{\"__proto__\":\"_CRYO_REF_2\"},\"value\":\"_CRYO_OBJECT_\"}]}'\nvar hydrated = Cryo.parse(frozen);\nconsole.log(hydrated);\n```",
"recommendation": "No fix is currently available. Consider using an alternative module until a fix is made available.",
"references": "- [HackerOne Report](https://hackerone.com/reports/350418)",
"access": "public",
"severity": "high",
"cwe": "CWE-502",
"metadata": {
"module_type": "",
"exploitability": 7,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/690"
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 0,
"high": 1,
"critical": 0
},
"dependencies": 42,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 42
}
}
Failed security audit due to high vulnerabilities.
Vulnerable advisories are: 690
Exiting...
greg-murray-volusion commented
You may close this one as it's not a problem anymore. Thank you