Page MenuHomePhabricator
Create Task
Maniphest T296806

Find optimal solution for projects with nested package.json files (within the context of Gitlab CI)
Closed, ResolvedPublic
Actions

Description

This doesn't happen all that often, but occasionally projects will have multiple, nested package.json / package-lock.json files (sub-apps, if you will). For our tools which are checking against various node/npm vulnerabilities, which reference these files, we need to a way to search for all of them, iterate over them and run various security tooling for each individual file. This likely needs to be no more complicated than the something like this loop within the ci template yaml linter. We will also want to confirm that this only: changes: directive matching pattern will trigger on changes to nested package.json / package-lock.json files.

Related Objects
Search...

Event Timeline

sbassett created this task.Dec 1 2021, 3:49 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2021, 3:49 AM
santhosh subscribed.Dec 1 2021, 4:09 AM
sbassett claimed this task.Dec 2 2021, 8:13 PM
sbassett added a project: user-sbassett.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett renamed this task from Find optimal solution for projects with nested package.json files to Find optimal solution for projects with nested package.json files (within the context of Gitlab CI).Dec 2 2021, 8:17 PM
sbassett added a comment.EditedDec 8 2021, 6:29 PM

Update:

    1. Confirmed via this commit and this commit that the logic currently employed via the only: changes: directives within some of our current ci templates does actually trigger on changes to both root-level and nested package.json and package-lock.json files. See respective pipeline triggers here and here. Though both pipelines did not complete due to a lack of runners being available right now, see also: T294050#7557027.
  2. As a basic proof-of-concept, using audit-ci as an example, this seems to solve this problem. The glob could stand some optimization, I'd imagine, but it works fine:
#!/bin/bash

root_dir=$(pwd)
file_list=$(git diff-tree --no-commit-id --name-only -r $CI_COMMIT_SHA -- \
{*package.json,*package-lock.json,*/package.json,*/package-lock.json})

for f in $file_list; do
    npm_dir="$(dirname "$f")"
    cd $root_dir/$npm_dir
    npm install
    audit-ci --moderate=true --skip-dev=true --report=true
done
sbassett closed this task as Resolved.EditedDec 18 2021, 3:10 AM
sbassett triaged this task as Low priority.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.

hypothetical future gitlabbot: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/commit/858a5865bb76658ba939d160cdd2e610bcaa85cf

Anyhow, the logic for this is done and can now be found within the current auditjs, npm audit and npm outdated ci templates. It ended up looking like this.

And here's an example of a ci config with all three of the node/npm templates configured, a pipeline run against two package.json files with known vulnerabilities, and the output for each tool: auditjs, npm audit and npm outdated. (note that npm outdated is allowed to fail as it is purely informational reporting).

So calling this done, for now.

sbassett moved this task from In Progress to Done on the user-sbassett board.Dec 18 2021, 3:10 AM
sbassett added a project: GitLab-Application-Security-Pipeline.Jul 13 2023, 7:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits