lirantal/is-website-vulnerable

Replacing Lighthouse for Hint

lirantal opened this issue · 0 comments

lirantal commented

Current situation

Today is-website-vulnerable depends on Lighthouse for its built-in auditing capabilities to load a webpage, detect its use of JavaScript libraries and their versions, and compare that with the Snyk database to report security vulnerabilities.

Reason for change

The Lighthouse project no longer reports on JavaScript libraries and their vulnerabilities, which means that once the library removes the pinned-version of the Lighthouse dependency then it will silently break, meaning, all scans will result false negatives and create an incorrect posture of no security vulnerabilities found.

Luckily for the project, we're pinning down dependencies to the point of a shrinkwrap file so we're not yet affected.

Suggested change

A Lighthouse alternative is the Hint project which does provide this integration along with other comparable features of Lighthouse.

It will require a refactor to replace Lighthouse with Hint and potentially a different usage of CLI/configuration and output, depending on the compatibility matrix of these two libraries.

A Hint code example

Following is a working code example of using Hint (need to npm install hint first):

const { Analyzer } = require("hint");

async function main() {
  const userConfig = {
    connector: {
      name: "puppeteer",
      options: {
        browser: "Chrome",
        headless: true,
      },
    },
    hints: {
      "no-vulnerable-javascript-libraries": "error",
    },
    formatters: [],
  };
  const options = {};
  const webhint = Analyzer.create(userConfig, options);

  const results = await webhint.analyze("https://foxnews.com", options);

  results.forEach((result) => {
    console.log(`Result for: ${result.url}`);

    result.problems.forEach((problem) => {
      console.log(
        `${problem.hintId} - ${problem.resource} - ${problem.message}`
      );
      console.log("---->\r\n", JSON.stringify(problem));
      console.log("----");
    });

    // Print the result using `formatter-html` and `formatter-summary`
    webhint.format(result.problems);
  });
}

main();

An example output of one of the problem when printed:

{
    "category": "security",
    "documentation": [
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-567880",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-567880 (medium) at Snyk"
        },
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-565129",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-565129 (medium) at Snyk"
        },
        {
            "link": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
            "text": "Learn more about vulnerability SNYK-JS-JQUERY-174006 (medium) at Snyk"
        }
    ],
    "hintId": "no-vulnerable-javascript-libraries",
    "location": {
        "column": -1,
        "line": -1
    },
    "message": "'jQuery@3.1.1' has 3 known vulnerabilities (3 medium).",
    "resource": "https://www.foxnews.com/",
    "severity": 4,
    "sourceCode": ""
}