-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Expand file tree
/
Copy pathaudit_deps.py
More file actions
executable file
·240 lines (191 loc) · 7.7 KB
/
Copy pathaudit_deps.py
File metadata and controls
executable file
·240 lines (191 loc) · 7.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
#!/usr/bin/env vpython3
# pylint: disable=line-too-long
"""This script runs `npm audit' and `cargo audit' on relevant paths in the
repo."""
# Copyright (c) 2020 The Brave Authors. All rights reserved.
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this file,
# You can obtain one at https://mozilla.org/MPL/2.0/.
import argparse
import json
import os
import subprocess
import shutil
import sys
import urllib.request
def get_remote_audit_config(
url="https://raw.githubusercontent.com/brave/audit-config/main/config.json"
):
return json.loads(urllib.request.urlopen(url).read().decode("utf-8"))
REMOTE_AUDIT_CONFIG = get_remote_audit_config()
IGNORED_CARGO_ADVISORIES = [
e["advisory"] for e in REMOTE_AUDIT_CONFIG["ignore"]["cargo"]
]
IGNORED_NPM_ADVISORIES = [
e["advisory"] for e in REMOTE_AUDIT_CONFIG["ignore"]["npm"]
]
# Use all (sub)paths except these for npm audit.
NPM_EXCLUDE_PATHS = [
'build',
os.path.join('node_modules'),
os.path.join('tools', 'crates')
]
# Only check Cargo.lock for these paths.
CARGO_INCLUDE_PATHS = [
os.path.join('third_party', 'rust', 'chromium_crates_io'),
os.path.join('tools', 'crates'),
os.path.join('components', 'skus', 'browser', 'rs', 'wasm')
]
def main():
"""Audit a specified path, or the whole project."""
if len(IGNORED_NPM_ADVISORIES) > 0:
print(f"Ignoring NPM advisories "
f"{', '.join(map(str, IGNORED_NPM_ADVISORIES))}")
if len(IGNORED_CARGO_ADVISORIES) > 0:
print(f"Ignoring Cargo advisories "
f"{', '.join(map(str, IGNORED_CARGO_ADVISORIES))}")
args = parse_args()
args.source_root = os.path.normpath(args.source_root)
errors = 0
if args.input_dir:
return audit_path(os.path.abspath(args.input_dir), args)
for path in [
os.path.dirname(os.path.dirname(args.source_root)), args.source_root
]:
errors += audit_path(path, args)
for dir_path, dirs, _ in os.walk(args.source_root):
for dir_name in dirs:
full_path = os.path.join(dir_path, dir_name)
errors += audit_path(full_path, args)
for p in CARGO_INCLUDE_PATHS:
print(f'Auditing (cargo) {p}')
errors += cargo_audit_deps(os.path.join(args.source_root, p), args)
if args.output:
with open(args.output, 'w') as f:
json.dump(errors, f)
return errors > 0
def audit_path(path, args):
"""Audit the specified path (relative, or absolute)."""
errors = 0
full_path = os.path.join(os.path.abspath(path), "")
if os.path.isfile(os.path.join(path, 'package.json')) and \
os.path.isfile(os.path.join(path, 'package-lock.json')) and \
not any(full_path.startswith(os.path.join(args.source_root, p, ""))
for p in NPM_EXCLUDE_PATHS):
print(f'Auditing (npm) {path}')
errors += npm_audit_deps(path, args)
if os.path.isfile(os.path.join(path, 'package.json')) and \
os.path.isfile(os.path.join(path, 'pnpm-lock.yaml')) and \
not any(full_path.startswith(os.path.join(args.source_root, p, ""))
for p in NPM_EXCLUDE_PATHS):
print(f'Auditing (pnpm) {path}')
errors += pnpm_audit_deps(path, args)
return errors
def npm_audit_deps(path, args):
"""Run `npm audit' in the specified path."""
npm_cmd = 'npm'
if sys.platform.startswith('win'):
npm_cmd = 'npm.cmd'
npm_args = [npm_cmd, 'audit', '--json']
if not args.audit_dev_deps:
# Don't support npm audit --production until dev dependencies are
# correctly identified in package.json
print('npm audit --production not supported; auditing dev dependencies')
audit_process = subprocess.Popen(npm_args, stdout=subprocess.PIPE, cwd=path)
output, _ = audit_process.communicate()
try:
# results from audit
result = json.loads(output.decode('UTF-8'))
# npm7 uses a different format from earlier versions
assert 'vulnerabilities' in result or 'advisories' in result
except (ValueError, AssertionError):
# This can happen in the case of an NPM network error
print('Audit failed to return valid json')
return 1
resolutions = extract_resolutions(result)
if len(resolutions) > 0:
print('Result: Audit failed due to vulnerabilities')
print(json.dumps(resolutions, indent=2))
return 1
print('Result: Audit finished, no vulnerabilities found')
return 0
def pnpm_audit_deps(path, args):
"""Run `pnpm audit' in the specified path."""
pnpm_path = shutil.which('pnpm')
if not pnpm_path:
print('pnpm not found')
return 1
pnpm_args = [pnpm_path, 'audit', '--json']
if not args.audit_dev_deps:
# Don't support pnpm audit --prod until dev dependencies are
# correctly identified in package.json
print('pnpm audit --prod not supported; auditing dev dependencies')
audit_process = subprocess.Popen(pnpm_args,
stdout=subprocess.PIPE,
cwd=path)
output, _ = audit_process.communicate()
try:
# results from audit
result = json.loads(output.decode('UTF-8'))
assert 'vulnerabilities' in result or 'advisories' in result
except (ValueError, AssertionError):
# This can happen in the case of a network error
print('Audit failed to return valid json')
return 1
resolutions = extract_resolutions(result)
if len(resolutions) > 0:
print('Result: Audit failed due to vulnerabilities')
print(json.dumps(resolutions, indent=2))
return 1
print('Result: Audit finished, no vulnerabilities found')
return 0
def cargo_audit_deps(path, args):
"""Run `cargo audit' in the specified path."""
cargo_args = []
cargo_args.append(args.cargo_audit_exe)
cargo_args.append("audit")
cargo_args.append("--file")
cargo_args.append(os.path.join(path, "Cargo.lock"))
for advisory in IGNORED_CARGO_ADVISORIES:
cargo_args.append("--ignore")
cargo_args.append(advisory)
return subprocess.call(cargo_args)
def extract_resolutions(result):
"""Extract resolutions from advisories present in the result."""
resolutions = []
# npm 7+
if 'vulnerabilities' in result:
advisories = result['vulnerabilities']
if len(advisories) == 0:
return resolutions
for _, v in advisories.items():
via = v['via']
for item in via:
if isinstance(item, dict) and \
item['url'] not in IGNORED_NPM_ADVISORIES:
resolutions.append(item['url'])
# npm 6 and earlier
if 'advisories' in result:
advisories = result['advisories']
if len(advisories) == 0:
return resolutions
for _, v in advisories.items():
url = v['url']
if url not in IGNORED_NPM_ADVISORIES:
resolutions.append(url)
return resolutions
def parse_args():
"""Parse command line arguments."""
parser = argparse.ArgumentParser(description='Audit brave-core npm deps')
parser.add_argument('input_dir', nargs='?', help='Directory to check')
parser.add_argument('--source_root',
required=True,
help='Full path of the src/brave directory')
parser.add_argument('--cargo_audit_exe', required=True)
parser.add_argument('--audit_dev_deps',
action='store_true',
help='Audit dev dependencies')
parser.add_argument('--output', help='Output file')
return parser.parse_args()
if __name__ == '__main__':
sys.exit(main())