Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] Inconsistent audit json #7744

Closed
2 tasks done
cz-dev-ge opened this issue Aug 22, 2024 · 4 comments
Closed
2 tasks done

[BUG] Inconsistent audit json #7744

cz-dev-ge opened this issue Aug 22, 2024 · 4 comments
Labels
Bug thing that needs fixing Cannot Reproduce

Comments

@cz-dev-ge
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "copy-webpack-plugin": {
      "name": "copy-webpack-plugin",
      "severity": "moderate",
      "isDirect": true,
      "via": [
        "fast-glob",
        "globby"
      ],
      "effects": [],
      "range": ">=6.0.0",
      "nodes": [
        "node_modules/copy-webpack-plugin"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "fast-glob": {
      "name": "fast-glob",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "micromatch"
      ],
      "effects": [
        "copy-webpack-plugin",
        "globby"
      ],
      "range": "*",
      "nodes": [
        "node_modules/fast-glob"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "globby": {
      "name": "globby",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        "fast-glob"
      ],
      "effects": [
        "copy-webpack-plugin"
      ],
      "range": ">=8.0.0",
      "nodes": [
        "node_modules/globby"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    },
    "micromatch": {
      "name": "micromatch",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1098615,
          "name": "micromatch",
          "dependency": "micromatch",
          "title": "Regular Expression Denial of Service (ReDoS) in micromatch",
          "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
          "severity": "moderate",
          "cwe": [
            "CWE-1333"
          ],
          "cvss": {
            "score": 0,
            "vectorString": null
          },
          "range": "<=4.0.7"
        }
      ],
      "effects": [
        "fast-glob"
      ],
      "range": "*",
      "nodes": [
        "node_modules/micromatch"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "6.0.0",
        "isSemVerMajor": true
      }
    }
  }
/* METADATA TRUNCATED */
}

Expected Behavior

  • In vulnerabilities > copy-webpack-plugin > via we have an array of strings ["fast-glob","globby"]
  • In vulnerabilities > micromatch > via however we have a completely different data structure

Shouldn't both be the same?
Best regards.

Steps To Reproduce

  1. In Windows 11
  2. create a project referencing copy-webpack-plugin:6.0.0 and micromatch:4.0.7
  3. Run npm audit --json
  4. See error

Environment

  • npm: 10.8.2
  • Node.js: v20.17.0
  • OS Name: Windows 11
  • npm config:
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\<REDACTED>\\AppData\\Roaming\\npm"

; "user" config from C:\Users\<REDACTED>\.npmrc

//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:_password = (protected)
/<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:email = (protected)
//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:username = (protected)

; "project" config from C:\dev\<REDACTED>\src\<REDACTED>\.npmrc

@zeiss:registry = "https://<REDACTED>/_packaging/<REDACTED>.js/npm/registry/"
always-auth = true

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.17.0
; npm local prefix = C:\dev\<REDACTED>\src\<REDACTED>
; npm version = 10.8.2
; cwd = C:\dev\<REDACTED>\src\<REDACTED>
; HOME = C:\Users\<REDACTED>
; Run `npm config ls -l` to show all defaults.
@cz-dev-ge cz-dev-ge added Bug thing that needs fixing Needs Triage needs review for next steps labels Aug 22, 2024
@kchindam-infy
Copy link

kchindam-infy commented Aug 28, 2024
edited
Loading

Unable to reproduce the issue as copy-webpack-plugin@6.0.0 . Tried on the environment as mentioned.
I have tried with lodash and micromatch packages and the audited json output is looking good for the via field data structure.
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1094500,
"name": "lodash",
"dependency": "lodash",
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.17.21"
},
{
"source": 1096305,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
"severity": "high",
"cwe": [
"CWE-770",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": ">=3.7.0 <4.17.19"
},
{
"source": 1096996,
"name": "lodash",
"dependency": "lodash",
"title": "Command Injection in lodash",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"severity": "high",
"cwe": [
"CWE-77",
"CWE-94"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<4.17.21"
}
],
"effects": [],
"range": "<=4.17.20",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"micromatch": {
"name": "micromatch",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
}
],
"effects": [],
"range": "<4.0.8",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 1,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 97,
"dev": 0,
"optional": 0,
"peer": 66,
"peerOptional": 0,
"total": 162
}
}
}

@cz-dev-ge
Copy link
Author

I'll try to create a minimal example.

@milaninfy milaninfy added Cannot Reproduce and removed Needs Triage needs review for next steps labels Sep 6, 2024
@milaninfy
Copy link
Contributor

Feel free to reopen or create new issue with steps and minimal example reproduction steps so that issue can be reproduced every time.

@milaninfy milaninfy closed this as not planned Won't fix, can't repro, duplicate, stale Sep 6, 2024
@cz-dev-ge
Copy link
Author

cz-dev-ge commented Nov 7, 2024
edited
Loading

The new issue is here: #7896

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Cannot Reproduce
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cz-dev-ge @milaninfy @kchindam-infy