const Arborist = require('@npmcli/arborist')
const auditReport = require('npm-audit-report')
const fetch = require('npm-registry-fetch')
const localeCompare = require('@isaacs/string-locale-compare')('en')
const npa = require('npm-package-arg')
const pacote = require('pacote')
const pMap = require('p-map')
const ArboristWorkspaceCmd = require('../arborist-cmd.js')
const auditError = require('../utils/audit-error.js')
const log = require('../utils/log-shim.js')
const reifyFinish = require('../utils/reify-finish.js')
const sortAlphabetically = (a, b) => localeCompare(a.name, b.name)
class VerifySignatures {
constructor (tree, filterSet, npm, opts) {
this.tree = tree
this.filterSet = filterSet
this.npm = npm
this.opts = opts
this.keys = new Map()
this.invalid = []
this.missing = []
this.checkedPackages = new Set()
this.auditedWithKeysCount = 0
this.verifiedCount = 0
this.output = []
this.exitCode = 0
}
async run () {
const start = process.hrtime.bigint()
// Find all deps in tree
const { edges, registries } = this.getEdgesOut(this.tree.inventory.values(), this.filterSet)
if (edges.size === 0) {
throw new Error('found no installed dependencies to audit')
}
await Promise.all([...registries].map(registry => this.setKeys({ registry })))
const progress = log.newItem('verifying registry signatures', edges.size)
const mapper = async (edge) => {
progress.completeWork(1)
await this.getVerifiedInfo(edge)
}
await pMap(edges, mapper, { concurrency: 20, stopOnError: true })
// Didn't find any dependencies that could be verified, e.g. only local
// deps, missing version, not on a registry etc.
if (!this.auditedWithKeysCount) {
throw new Error('found no dependencies to audit that where installed from ' +
'a supported registry')
}
const invalid = this.invalid.sort(sortAlphabetically)
const missing = this.missing.sort(sortAlphabetically)
const hasNoInvalidOrMissing = invalid.length === 0 && missing.length === 0
if (!hasNoInvalidOrMissing) {
this.exitCode = 1
}
if (this.npm.config.get('json')) {
this.appendOutput(JSON.stringify({
invalid: this.makeJSON(invalid),
missing: this.makeJSON(missing),
}, null, 2))
return
}
const end = process.hrtime.bigint()
const elapsed = end - start
const auditedPlural = this.auditedWithKeysCount > 1 ? 's' : ''
const timing = `audited ${this.auditedWithKeysCount} package${auditedPlural} in ` +
`${Math.floor(Number(elapsed) / 1e9)}s`
this.appendOutput(`${timing}\n`)
if (this.verifiedCount) {
const verifiedBold = this.npm.chalk.bold('verified')
const msg = this.verifiedCount === 1 ?
`${this.verifiedCount} package has a ${verifiedBold} registry signature\n` :
`${this.verifiedCount} packages have ${verifiedBold} registry signatures\n`
this.appendOutput(msg)
}
if (missing.length) {
const missingClr = this.npm.chalk.bold(this.npm.chalk.red('missing'))
const msg = missing.length === 1 ?
`package has a ${missingClr} registry signature` :
`packages have ${missingClr} registry signatures`
this.appendOutput(
`${missing.length} ${msg} but the registry is ` +
`providing signing keys:\n`
)
this.appendOutput(this.humanOutput(missing))
}
if (invalid.length) {
const invalidClr = this.npm.chalk.bold(this.npm.chalk.red('invalid'))
const msg = invalid.length === 1 ?
`${invalid.length} package has an ${invalidClr} registry signature:\n` :
`${invalid.length} packages have ${invalidClr} registry signatures:\n`
this.appendOutput(
`${missing.length ? '\n' : ''}${msg}`
)
this.appendOutput(this.humanOutput(invalid))
const tamperMsg = invalid.length === 1 ?
`\nSomeone might have tampered with this package since it was ` +
`published on the registry!\n` :
`\nSomeone might have tampered with these packages since they where ` +
`published on the registry!\n`
this.appendOutput(tamperMsg)
}
}
appendOutput (...args) {
this.output.push(...args.flat())
}
report () {
return { report: this.output.join('\n'), exitCode: this.exitCode }
}
getEdgesOut (nodes, filterSet) {
const edges = new Set()
const registries = new Set()
for (const node of nodes) {
for (const edge of node.edgesOut.values()) {
const filteredOut =
edge.from
&& filterSet
&& filterSet.size > 0
&& !filterSet.has(edge.from.target)
if (!filteredOut) {
const spec = this.getEdgeSpec(edge)
if (spec) {
// Prefetch and cache public keys from used registries
registries.add(this.getSpecRegistry(spec))
}
edges.add(edge)
}
}
}
return { edges, registries }
}
async setKeys ({ registry }) {
const keys = await fetch.json('/-/npm/v1/keys', {
...this.npm.flatOptions,
registry,
}).then(({ keys }) => keys.map((key) => ({
...key,
pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
}))).catch(err => {
if (err.code === 'E404') {
return null
} else {
throw err
}
})
if (keys) {
this.keys.set(registry, keys)
}
}
getEdgeType (edge) {
return edge.optional ? 'optionalDependencies'
: edge.peer ? 'peerDependencies'
: edge.dev ? 'devDependencies'
: 'dependencies'
}
getEdgeSpec (edge) {
let name = edge.name
try {
name = npa(edge.spec).subSpec.name
} catch {
// leave it as edge.name
}
try {
return npa(`${name}@${edge.spec}`)
} catch {
// Skip packages with invalid spec
}
}
buildRegistryConfig (registry) {
const keys = this.keys.get(registry) || []
const parsedRegistry = new URL(registry)
const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
return {
[`${regKey}:_keys`]: keys,
}
}
getSpecRegistry (spec) {
return fetch.pickRegistry(spec, this.npm.flatOptions)
}
getValidPackageInfo (edge) {
const type = this.getEdgeType(edge)
// Skip potentially optional packages that are not on disk, as these could
// be omitted during install
if (edge.error === 'MISSING' && type !== 'dependencies') {
return
}
const spec = this.getEdgeSpec(edge)
// Skip invalid version requirements
if (!spec) {
return
}
const node = edge.to || edge
const { version } = node.package || {}
if (node.isWorkspace || // Skip local workspaces packages
!version || // Skip packages that don't have a installed version, e.g. optonal dependencies
!spec.registry) { // Skip if not from registry, e.g. git package
return
}
for (const omitType of this.npm.config.get('omit')) {
if (node[omitType]) {
return
}
}
return {
name: spec.name,
version,
type,
location: node.location,
registry: this.getSpecRegistry(spec),
}
}
async verifySignatures (name, version, registry) {
const {
_integrity: integrity,
_signatures,
_resolved: resolved,
} = await pacote.manifest(`${name}@${version}`, {
verifySignatures: true,
...this.buildRegistryConfig(registry),
...this.npm.flatOptions,
})
const signatures = _signatures || []
return {
integrity,
signatures,
resolved,
}
}
async getVerifiedInfo (edge) {
const info = this.getValidPackageInfo(edge)
if (!info) {
return
}
const { name, version, location, registry, type } = info
if (this.checkedPackages.has(location)) {
// we already did or are doing this one
return
}
this.checkedPackages.add(location)
// We only "audit" or verify the signature, or the presence of it, on
// packages whose registry returns signing keys
const keys = this.keys.get(registry) || []
if (keys.length) {
this.auditedWithKeysCount += 1
}
try {
const { integrity, signatures, resolved } = await this.verifySignatures(
name, version, registry
)
// Currently we only care about missing signatures on registries that provide a public key
// We could make this configurable in the future with a strict/paranoid mode
if (signatures.length) {
this.verifiedCount += 1
} else if (keys.length) {
this.missing.push({
name,
version,
location,
resolved,
integrity,
registry,
})
}
} catch (e) {
if (e.code === 'EINTEGRITYSIGNATURE') {
const { signature, keyid, integrity, resolved } = e
this.invalid.push({
name,
type,
version,
resolved,
location,
integrity,
registry,
signature,
keyid,
})
} else {
throw e
}
}
}
humanOutput (list) {
return list.map(v =>
`${this.npm.chalk.red(`${v.name}@${v.version}`)} (${v.registry})`
).join('\n')
}
makeJSON (deps) {
return deps.map(d => ({
name: d.name,
version: d.version,
location: d.location,
resolved: d.resolved,
integrity: d.integrity,
signature: d.signature,
keyid: d.keyid,
}))
}
}
class Audit extends ArboristWorkspaceCmd {
static description = 'Run a security audit'
static name = 'audit'
static params = [
'audit-level',
'dry-run',
'force',
'json',
'package-lock-only',
'omit',
'foreground-scripts',
'ignore-scripts',
...super.params,
]
static usage = ['[fix|signatures]']
async completion (opts) {
const argv = opts.conf.argv.remain
if (argv.length === 2) {
return ['fix']
}
switch (argv[2]) {
case 'fix':
return []
default:
throw Object.assign(new Error(argv[2] + ' not recognized'), {
code: 'EUSAGE',
})
}
}
async exec (args) {
if (args[0] === 'signatures') {
await this.auditSignatures()
} else {
await this.auditAdvisories(args)
}
}
async auditAdvisories (args) {
const reporter = this.npm.config.get('json') ? 'json' : 'detail'
const opts = {
...this.npm.flatOptions,
audit: true,
path: this.npm.prefix,
reporter,
workspaces: this.workspaceNames,
}
const arb = new Arborist(opts)
const fix = args[0] === 'fix'
await arb.audit({ fix })
if (fix) {
await reifyFinish(this.npm, arb)
} else {
// will throw if there's an error, because this is an audit command
auditError(this.npm, arb.auditReport)
const result = auditReport(arb.auditReport, opts)
process.exitCode = process.exitCode || result.exitCode
this.npm.output(result.report)
}
}
async auditSignatures () {
if (this.npm.global) {
throw Object.assign(
new Error('`npm audit signatures` does not support global packages'), {
code: 'EAUDITGLOBAL',
}
)
}
log.verbose('loading installed dependencies')
const opts = {
...this.npm.flatOptions,
path: this.npm.prefix,
workspaces: this.workspaceNames,
}
const arb = new Arborist(opts)
const tree = await arb.loadActual()
let filterSet = new Set()
if (opts.workspaces && opts.workspaces.length) {
filterSet =
arb.workspaceDependencySet(
tree,
opts.workspaces,
this.npm.flatOptions.includeWorkspaceRoot
)
} else if (!this.npm.flatOptions.workspacesEnabled) {
filterSet =
arb.excludeWorkspacesDependencySet(tree)
}
const verify = new VerifySignatures(tree, filterSet, this.npm, { ...opts })
await verify.run()
const result = verify.report()
process.exitCode = process.exitCode || result.exitCode
this.npm.output(result.report)
}
}
module.exports = Audit
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| access.js | File | 5.45 KB | 0644 |
|
| adduser.js | File | 2.2 KB | 0644 |
|
| audit.js | File | 11.95 KB | 0644 |
|
| bin.js | File | 729 B | 0644 |
|
| birthday.js | File | 508 B | 0644 |
|
| bugs.js | File | 815 B | 0644 |
|
| cache.js | File | 7.08 KB | 0644 |
|
| ci.js | File | 3.63 KB | 0644 |
|
| completion.js | File | 8.91 KB | 0644 |
|
| config.js | File | 8.11 KB | 0644 |
|
| dedupe.js | File | 1.37 KB | 0644 |
|
| deprecate.js | File | 2.06 KB | 0644 |
|
| diff.js | File | 8.1 KB | 0644 |
|
| dist-tag.js | File | 5.47 KB | 0644 |
|
| docs.js | File | 447 B | 0644 |
|
| doctor.js | File | 9.22 KB | 0644 |
|
| edit.js | File | 2 KB | 0644 |
|
| exec.js | File | 2.44 KB | 0644 |
|
| explain.js | File | 3.55 KB | 0644 |
|
| explore.js | File | 2.33 KB | 0644 |
|
| find-dupes.js | File | 602 B | 0644 |
|
| fund.js | File | 6.37 KB | 0644 |
|
| get.js | File | 524 B | 0644 |
|
| help-search.js | File | 5.62 KB | 0644 |
|
| help.js | File | 4.53 KB | 0644 |
|
| hook.js | File | 3.93 KB | 0644 |
|
| init.js | File | 6.81 KB | 0644 |
|
| install-ci-test.js | File | 377 B | 0644 |
|
| install-test.js | File | 374 B | 0644 |
|
| install.js | File | 5.11 KB | 0644 |
|
| link.js | File | 5.02 KB | 0644 |
|
| ll.js | File | 234 B | 0644 |
|
| logout.js | File | 1.34 KB | 0644 |
|
| ls.js | File | 16.94 KB | 0644 |
|
| org.js | File | 4.2 KB | 0644 |
|
| outdated.js | File | 8.84 KB | 0644 |
|
| owner.js | File | 5.88 KB | 0644 |
|
| pack.js | File | 2.36 KB | 0644 |
|
| ping.js | File | 874 B | 0644 |
|
| pkg.js | File | 3.47 KB | 0644 |
|
| prefix.js | File | 343 B | 0644 |
|
| profile.js | File | 11.25 KB | 0644 |
|
| prune.js | File | 779 B | 0644 |
|
| publish.js | File | 6.33 KB | 0644 |
|
| query.js | File | 2.81 KB | 0644 |
|
| rebuild.js | File | 2.16 KB | 0644 |
|
| repo.js | File | 1.24 KB | 0644 |
|
| restart.js | File | 351 B | 0644 |
|
| root.js | File | 298 B | 0644 |
|
| run-script.js | File | 6.9 KB | 0644 |
|
| search.js | File | 2.72 KB | 0644 |
|
| set-script.js | File | 2.63 KB | 0644 |
|
| set.js | File | 572 B | 0644 |
|
| shrinkwrap.js | File | 2.64 KB | 0644 |
|
| star.js | File | 1.87 KB | 0644 |
|
| stars.js | File | 1.03 KB | 0644 |
|
| start.js | File | 341 B | 0644 |
|
| stop.js | File | 336 B | 0644 |
|
| team.js | File | 4.44 KB | 0644 |
|
| test.js | File | 336 B | 0644 |
|
| token.js | File | 6.79 KB | 0644 |
|
| uninstall.js | File | 1.52 KB | 0644 |
|
| unpublish.js | File | 4.51 KB | 0644 |
|
| unstar.js | File | 182 B | 0644 |
|
| update.js | File | 1.7 KB | 0644 |
|
| version.js | File | 3.6 KB | 0644 |
|
| view.js | File | 14.38 KB | 0644 |
|
| whoami.js | File | 514 B | 0644 |
|