Page MenuHomePhabricator
Create Task
Maniphest T96078

Jenkins check for vulnerable libraries in all node.js repos
Closed, ResolvedPublic
Actions

Description

Like we have for composer.lock files, we should check libraries included in our node.js repos for known vulnerabilities and alert someone if issues are found.

There are two utilities that I know of to do the check,

Wikia is using retire.js. Requiresafe is newer (and has active backing), but it talks to a proprietary service for the checks. Requiresafe also doesn't require you to npm install before doing the check, which (as far as I've been able to make it work) retire.js does.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Check for vulnerable libraries in all node.js reposintegration/configmaster+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Apr 14 2015, 8:40 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Continuous-Integration-Infrastructure.
csteipp added subscribers: csteipp, mobrovac.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2015, 8:40 PM
Krinkle edited projects, added Continuous-Integration-Config; removed Continuous-Integration-Infrastructure.Apr 24 2015, 6:19 PM
Krinkle set Security to None.
hashar triaged this task as Low priority.Jun 4 2015, 1:53 PM
hashar subscribed.

Nice feature but one needs to figure out a way to grab all our repositories composer.json for all branches that are supported. Then run the script on each of them. A first step can be to run it for mediawiki extensions deployed on cluster + the backend services using the master and wmf branches.

No one is apparently actively working on this idea though. So that needs a volunteer to step in :-]

csteipp added a comment.Jun 4 2015, 7:24 PM

And for the record, this is for running a check on our node.js services, as opposed to checking composer. That's another task. :)

I've heard that we don't currently manage services in our CI infrastructure (although it looks like parsoid, and maybe cx server is there), that those are usually pulled from the repo directly to the cluster and deployed. Is that really the case? Or are we running jenkins jobs for most services?

mobrovac added a comment.Jun 4 2015, 7:33 PM
In T96078#1338553, @csteipp wrote:

I've heard that we don't currently manage services in our CI infrastructure (although it looks like parsoid, and maybe cx server is there), that those are usually pulled from the repo directly to the cluster and deployed. Is that really the case?

That's true. We are waiting on isolated instances to profit from that. E.g. RESTBase needs Cassandra while Citoid needs zotero.

That said, I agree that a continuous check of libs should be introduced to make surr we are on the right side of the security fence.

mobrovac added a comment.Jun 5 2015, 8:38 AM

Check out T78410: Move Parsoid and RESTBase testing from Travis CI to our Jenkins for more context / info.

Ricordisamoa subscribed.Jan 4 2016, 4:20 AM
gerritbot subscribed.Mar 20 2016, 5:03 PM

Change 278571 had a related patch set uploaded (by Paladox):
Check for vulnerable libraries in all node.js repos

https://gerrit.wikimedia.org/r/278571

gerritbot added a project: Patch-For-Review.Mar 20 2016, 5:03 PM
gerritbot added a comment.Mar 31 2016, 12:27 PM

Change 278571 abandoned by Hashar:
Check for vulnerable libraries in all node.js repos

https://gerrit.wikimedia.org/r/278571

Jdforrester-WMF subscribed.May 30 2018, 4:29 PM

When we upgrade to npm 5.x we'll get npm audit which'll do this for us…

Jdforrester-WMF added a subtask: T201633: Provide npm 6.0+ in CI environments .Aug 9 2018, 5:31 PM
Legoktm closed subtask T201633: Provide npm 6.0+ in CI environments as Resolved.Aug 9 2018, 5:35 PM
WMDE-leszek subscribed.Feb 18 2019, 4:45 PM
sbassett mentioned this in T216419: Security review - Wikibase Termbox Front End.Apr 26 2019, 5:52 PM
sbassett mentioned this in T104164: Routinely audit projects that use package.json with nodesecurity.io.Apr 26 2019, 7:41 PM
hashar removed a project: Patch-For-Review.Aug 19 2019, 10:37 AM

We now have package-lock.json being committed and should be able to run npm audit.

hashar closed this task as Resolved.May 21 2021, 2:12 PM
hashar added a project: LibUp.

I think that is now covered by LibUp , it scans composer/npm repositories and does report vulnerability at https://libraryupgrader2.wmcloud.org/vulns/npm?branch=main . There is then some process to automatically generate package updates for the affected repositories.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits