Scripts of yarn audit

notify-audit-to-slack.sh

#!/bin/sh -eu
#
# required env:
#   SLACK_TEXT: Description, Build URL of CI
#   SLACK_INCOMING: Slack Incoming Webhook URL
#
# required stdin:
#   json text of `.data.advisory` on yarn audit
#
# required packages:
#   printf
#   curl
#   jq
#
# usage:
#   yarn audit --json \
#   | jq -s 'map(.data.advisory)' \
#   |\
#   SLACK_TEXT="Check unknown advisories\n${CIRCLE_BUILD_URL}" \
#   SLACK_INCOMING="https://hooks.slack.com/services/********" \
#     sh <(curl --silent -L https://gist.githubusercontent.com/namikingsoft/b2cde62e1953766acf2d47bc1ec1fa2b/raw/notify-audit-to-slack.sh)
#
# usage:
#   sh <(curl --silent -L https://gist.githubusercontent.com/namikingsoft/b2cde62e1953766acf2d47bc1ec1fa2b/raw/yarn-audit-without-exceptions.sh) \
#   |\
#   SLACK_TEXT="Check unknown advisories\n${CIRCLE_BUILD_URL}" \
#   SLACK_INCOMING="https://hooks.slack.com/services/********" \
#     sh <(curl --silent -L https://gist.githubusercontent.com/namikingsoft/b2cde62e1953766acf2d47bc1ec1fa2b/raw/notify-audit-to-slack.sh)

# stdin
advisories_json="$(cat)"

# check advisories count
if [ "$(printf "%s" "$advisories_json" | jq 'length')" = "0" ]; then
  echo Nothing unknown advisories
  exit
fi

# for console dump
printf "%s" "$advisories_json" | jq .

# generate post json for slack incoming
post_slack_json="$(printf "%s" "$advisories_json" | jq "$(cat << EOS
  {
    text: "${SLACK_TEXT}",
    attachments: map({
      color:
        ( if .severity == "critical" then "#bf008c"
        elif .severity == "high" then "#d9534f"
        elif .severity == "moderate" then "#f0ad4e"
        else "#cccccc"
        end ),
      title: "\(.title) (\(.severity))",
      title_link: .url,
      text: .overview,
      fields: [
        {
          title: "Module",
          value: "\(.module_name) @ \(.vulnerable_versions)",
          short: true,
        },
        {
          title: "Used By",
          value: .findings
            | map(.paths)
            | flatten
            | map(split(">")[0])
            | unique
            | join("\n"),
          short: true,
        }
      ],
      footer: "Updated: \(.updated)",
    }),
  }
EOS
)")"

# notify to slack
curl \
  -H "Content-Type: application/json" \
  -X POST -d "$post_slack_json" \
  ${SLACK_INCOMING}

yarn-audit-check.sh

#!/bin/sh -eu
#
# required files:
#   ./package.json
#   ./yarn.lock
#
# required packages:
#   node
#   yarn
#   jq
#
# usage:
#   sh <(curl --silent -L https://gist.githubusercontent.com/namikingsoft/b2cde62e1953766acf2d47bc1ec1fa2b/raw/yarn-audit-check.sh)
#
# package.json:
#   ```json
#   {
#     "audit": {
#       "exceptions": {
#         "severities": [
#           "moderate",
#           "low",
#           "(critical|high|moderate|low)"
#        ],
#        "ids": [
#          "678",
#          "(Please input advisories id more than high is attached end of url, i.e. `678`)",
#          "(advisories url: https://nodesecurity.io/advisories/678)"
#        ]
#      }
#    }
#  }
#  ```

result="$(yarn audit --json || true)"

[ "${#result}" != "0" ] # exit if 503 Service Unavailable

advisories_json="$(printf "%s" "${result}" | jq -s 'map(.data.advisory | select(.))')"

echo "Wasted exception of severities: "
for severity in $(
  < package.json jq -r '.audit.exceptions.severities[]' 2> /dev/null \
  | grep -E "^(critical|high|moderate|low)$" \
); do
  printf "%s" "${advisories_json}" | jq -r "$(cat << EOS
    map(select(.severity == "$severity"))
    | length
    | (if . == 0 then "  $severity" else empty end)
EOS
  )"
done
echo

echo "Wasted exception of ids:"
for id in $(
  < package.json jq -r '.audit.exceptions.ids[]' 2> /dev/null \
  | grep -E "^[0-9]+$" \
); do
  printf "%s" "${advisories_json}" | jq -r "$(cat << EOS
    map(select(.id == $id))
    | length
    | (if . == 0 then "  $id" else empty end)
EOS
  )"
done
echo

yarn audit || true

yarn-audit-without-exceptions.sh

#!/bin/sh -eu
#
# required files:
#   ./package.json
#   ./yarn.lock
#
# required packages:
#   node
#   yarn
#   jq
#
# usage:
#   sh <(curl --silent -L https://gist.githubusercontent.com/namikingsoft/b2cde62e1953766acf2d47bc1ec1fa2b/raw/yarn-audit-without-exceptions.sh)
#
# package.json:
#   ```json
#   {
#     "audit": {
#       "exceptions": {
#         "severities": [
#           "moderate",
#           "low",
#           "(critical|high|moderate|low)"
#        ],
#        "ids": [
#          "678",
#          "(Please input advisories id more than high is attached end of url, i.e. `678`)",
#          "(advisories url: https://nodesecurity.io/advisories/678)"
#        ]
#      }
#    }
#  }
#  ```

yarn audit --ignore-engines --json | jq -s "$(cat << EOS
  map(
    .data.advisory
    | select(.
      $(
        < package.json jq -r '.audit.exceptions.severities[]' 2> /dev/null \
        | grep -E "^(critical|high|moderate|low)$" \
        | xargs -I{} echo ' and (.severity != "{}")'
      )
    )
    | select(.
      $(
        < package.json jq -r '.audit.exceptions.ids[]' 2> /dev/null \
        | grep -E "^[0-9]+$" \
        | xargs -I{} echo " and (.id != {})"
      )
    )
  )
  | unique_by(.id)
EOS
)"