Page MenuHomePhabricator

Jenkins check for vulnerable libraries in all node.js repos
Open, LowPublic

Description

Like we have for composer.lock files, we should check libraries included in our node.js repos for known vulnerabilities and alert someone if issues are found.

There are two utilities that I know of to do the check,

Wikia is using retire.js. Requiresafe is newer (and has active backing), but it talks to a proprietary service for the checks. Requiresafe also doesn't require you to npm install before doing the check, which (as far as I've been able to make it work) retire.js does.

Details

Related Gerrit Patches:

Event Timeline

csteipp created this task.Apr 14 2015, 8:40 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added subscribers: csteipp, mobrovac.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2015, 8:40 PM
hashar triaged this task as Low priority.Jun 4 2015, 1:53 PM
hashar added a subscriber: hashar.

Nice feature but one needs to figure out a way to grab all our repositories composer.json for all branches that are supported. Then run the script on each of them. A first step can be to run it for mediawiki extensions deployed on cluster + the backend services using the master and wmf branches.

No one is apparently actively working on this idea though. So that needs a volunteer to step in :-]

And for the record, this is for running a check on our node.js services, as opposed to checking composer. That's another task. :)

I've heard that we don't currently manage services in our CI infrastructure (although it looks like parsoid, and maybe cx server is there), that those are usually pulled from the repo directly to the cluster and deployed. Is that really the case? Or are we running jenkins jobs for most services?

I've heard that we don't currently manage services in our CI infrastructure (although it looks like parsoid, and maybe cx server is there), that those are usually pulled from the repo directly to the cluster and deployed. Is that really the case?

That's true. We are waiting on isolated instances to profit from that. E.g. RESTBase needs Cassandra while Citoid needs zotero.

That said, I agree that a continuous check of libs should be introduced to make surr we are on the right side of the security fence.

Change 278571 had a related patch set uploaded (by Paladox):
Check for vulnerable libraries in all node.js repos

https://gerrit.wikimedia.org/r/278571

Change 278571 abandoned by Hashar:
Check for vulnerable libraries in all node.js repos

https://gerrit.wikimedia.org/r/278571

When we upgrade to npm 5.x we'll get npm audit which'll do this for us…

We now have package-lock.json being committed and should be able to run npm audit.