Node Promiscuous Modules

    This package has been deprecated

    Author message:

    This experimental package is now unmaintained

    @quasar/quasar-app-extension-testing-security-antivuln

    1.0.0-alpha.2 • Public • Published

    @quasar/testing-security-antivuln

    This testing app extension will scan your installed dependencies (the entire chain) and compare them with the list of advisories found here: https://www.npmjs.com/advisories warning you if any are unsafe.

    Install

    Installation should be done via the @quasar/testing mono repo using

    quasar ext add @quasar/testing

    Then selecting the Security Anti-Vulnerability harness. If you do need to install this application extension on independantly you can use:

    quasar ext add @quasar/testing-security-antivuln

    Quasar CLI will retrieve it from NPM and install the extension.

    Prompts

    This app extension will prompt for 3 options:

    • Scan when running quasar dev - Enabling this will cause the scan to run when you run quasar dev
    • Scan when running quasar build - Enabling this will cause the scan to run when you run quasar build
    • Strict Mode - If enabled and if vulnerabilities are found, script execution will stop when runOnDev and / or runOnBuild are true.

    Uninstall

    If installed via @quasar/testing then just run the install again and don't select the Security Anti-Vulnerability harness.

    If installed direct, run:

    quasar ext remove @quasar/testing-security-antivuln

    Running

    quasar test --security antivuln

    Testing

    If you would like to test the output / how this works. You can add any package that exists in the NPM Advisory List for instance:

    yarn add ids-enterprise@4.18.0

    When you've added this package to your project, run:

    quasar test --security antivuln

    And you will see output similar to (albeit with a little more color):

    Security Alert: [high] [ids-enterprise]
      Type: Cross-Site Scripting
      Advisory Version: <4.18.2
      Current version: 4.18.0
      Recommendation: Upgrade to version 4.18.2 or later
      Url: https://npmjs.com/advisories/957
      Detail: Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.

    #####IMPORTANT

    Remember to remove the unsafe package you've added for testing.

    Output

    Once the test has run, output will be saved to

    your-application-folder/test/audits/security/antivuln/bad.packages.result.json
    

    The output will be similar to (or exactly the same if you're following the Testing section above):

    {
      "status": "fail",
      "runAt": 1560426465,
      "totalAdvisories": 1,
      "advisories": [
        {
          "name": "ids-enterprise",
          "version": "<4.18.2",
          "title": "Cross-Site Scripting",
          "recommendation": "Upgrade to version 4.18.2 or later",
          "severity": "high",
          "overview": "Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.",
          "url": "https://npmjs.com/advisories/957",
          "currentVersion": "4.18.0"
        }
      ]
    }

    Possible Roadmap

    • Fix option
    • HTML bad package browser.

    Patreon

    If you like (and use) this App Extension, please consider becoming a Quasar Patreon.

    Keywords

    none

    Install

    npm i @quasar/quasar-app-extension-testing-security-antivuln

    DownloadsWeekly Downloads

    519

    Version

    1.0.0-alpha.2

    License

    MIT

    Unpacked Size

    5.49 kB

    Total Files

    4

    Last publish

    Collaborators

    • rstoenescu
    • hawkeye64
    • smolinari
    • ilcallo