Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Inconsistent audit json #7744

Closed
2 tasks done
georg-eckert-zeiss opened this issue Aug 22, 2024 · 4 comments
Closed
2 tasks done

[BUG] Inconsistent audit json #7744

georg-eckert-zeiss opened this issue Aug 22, 2024 · 4 comments
Labels
Bug thing that needs fixing Cannot Reproduce

Comments

@georg-eckert-zeiss
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "copy-webpack-plugin": {
      "name": "copy-webpack-plugin",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "fast-glob",
        "globby"
      ],
      "effects": [],
      "range": ">=6.0.0",
      "nodes": [
        "node_modules/copy-webpack-plugin"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "fast-glob": {
      "name": "fast-glob",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "micromatch"
      ],
      "effects": [
        "copy-webpack-plugin",
        "globby"
      ],
      "range": "*",
      "nodes": [
        "node_modules/fast-glob"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "globby": {
      "name": "globby",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "fast-glob"
      ],
      "effects": [
        "copy-webpack-plugin"
      ],
      "range": ">=8.0.0",
      "nodes": [
        "node_modules/globby"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "micromatch": {
      "name": "micromatch",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1098615,
          "name": "micromatch",
          "dependency": "micromatch",
          "title": "Regular Expression Denial of Service (ReDoS) in micromatch",
          "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=4.0.7"
        }
      ],
      "effects": [
        "fast-glob"
      ],
      "range": "*",
      "nodes": [
        "node_modules/micromatch"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    }
  }
/* METADATA TRUNCATED */
}

Expected Behavior

  • In vulnerabilities > copy-webpack-plugin > via we have an array of strings ["fast-glob","globby"]
  • In vulnerabilities > micromatch > via however we have a completely different data structure

Shouldn't both be the same?
Best regards.

Steps To Reproduce

  1. In Windows 11
  2. create a project referencing copy-webpack-plugin:6.0.0 and micromatch:4.0.7
  3. Run npm audit --json
  4. See error

Environment

  • npm: 10.8.2
  • Node.js: v20.17.0
  • OS Name: Windows 11
  • npm config:
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\<REDACTED>\\AppData\\Roaming\\npm"

; "user" config from C:\Users\<REDACTED>\.npmrc

//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:_password = (protected)
/<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:email = (protected)
//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:username = (protected)

; "project" config from C:\dev\<REDACTED>\src\<REDACTED>\.npmrc

@zeiss:registry = "https://<REDACTED>/_packaging/<REDACTED>.js/npm/registry/"
always-auth = true

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.17.0
; npm local prefix = C:\dev\<REDACTED>\src\<REDACTED>
; npm version = 10.8.2
; cwd = C:\dev\<REDACTED>\src\<REDACTED>
; HOME = C:\Users\<REDACTED>
; Run `npm config ls -l` to show all defaults.
@georg-eckert-zeiss georg-eckert-zeiss added Bug thing that needs fixing Needs Triage needs review for next steps labels Aug 22, 2024
@kchindam-infy
Copy link

kchindam-infy commented Aug 28, 2024
edited
Loading

Unable to reproduce the issue as [email protected] . Tried on the environment as mentioned.
I have tried with lodash and micromatch packages and the audited json output is looking good for the via field data structure.
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1094500,
"name": "lodash",
"dependency": "lodash",
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.17.21"
},
{
"source": 1096305,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
"severity": "high",
"cwe": [
"CWE-770",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": ">=3.7.0 <4.17.19"
},
{
"source": 1096996,
"name": "lodash",
"dependency": "lodash",
"title": "Command Injection in lodash",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"severity": "high",
"cwe": [
"CWE-77",
"CWE-94"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<4.17.21"
}
],
"effects": [],
"range": "<=4.17.20",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"micromatch": {
"name": "micromatch",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
}
],
"effects": [],
"range": "<4.0.8",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 1,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 97,
"dev": 0,
"optional": 0,
"peer": 66,
"peerOptional": 0,
"total": 162
}
}
}

@georg-eckert-zeiss
Copy link
Author

I'll try to create a minimal example.

@milaninfy milaninfy added Cannot Reproduce and removed Needs Triage needs review for next steps labels Sep 6, 2024
@milaninfy
Copy link
Contributor

Feel free to reopen or create new issue with steps and minimal example reproduction steps so that issue can be reproduced every time.

@milaninfy milaninfy closed this as not planned Won't fix, can't repro, duplicate, stale Sep 6, 2024
@georg-eckert-zeiss
Copy link
Author

georg-eckert-zeiss commented Nov 7, 2024
edited
Loading

The new issue is here: #7896

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Cannot Reproduce
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@georg-eckert-zeiss @milaninfy @kchindam-infy