Merge pull request #217 from mobilutz/ll-use-github-ids

Switch identifier to be taken from `github_advisory_id`

README.md

@@ -118,7 +118,7 @@ A config file can manage auditing preferences `audit-ci`. The config file's keys
   "moderate": <boolean>, // [Optional] defaults `false`
   "high": <boolean>, // [Optional] defaults `false`
   "critical": <boolean>, // [Optional] defaults `false`
-  "allowlist": <(string | number)[]>, // [Optional] default `[]`
+  "allowlist": <string[]>, // [Optional] default `[]`
   "report-type": <string>, // [Optional] defaults `important`
   "package-manager": <string>, // [Optional] defaults `"auto"`
   "output-format": <string>, // [Optional] defaults `"text"`
@@ -144,10 +144,10 @@ Review the examples section for an [example of config file usage](#example-confi
 npx audit-ci -m
 ```
 
-### Prevents build on any vulnerability except advisory 690 and all of lodash and base64url, don't show allowlisted
+### Prevents build on any vulnerability except advisory "GHSA-38f5-ghc2-fcmv" and all of lodash and base64url, don't show allowlisted
 
 ```sh
-npx audit-ci -l -a 690 lodash base64url --show-found false
+npx audit-ci -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false
 ```
 
 ### Prevents build with critical vulnerabilities showing the full report
@@ -171,13 +171,13 @@ npx audit-ci --report-type summary
   "low": true,
   "package-manager": "auto",
   "allowlist": [
-    100,
-    101,
+    "GHSA-333w-rxj3-f55r",
+    "GHSA-vfvf-mqq8-rwqc",
     "example1",
     "example2",
-    "52|example3",
-    "1038442|example4",
-    "1038442|example5>example4",
+    "GHSA-6354-6mhv-mvv5|example3",
+    "GHSA-42xw-2xvc-qx8m|example4",
+    "GHSA-42xw-2xvc-qx8m|example5>example4",
     "*|example6>*"
   ],
   "registry": "https://registry.npmjs.org"

lib/Model.js

@@ -1,4 +1,4 @@
-const { matchString } = require("./common");
+const { matchString, gitHubAdvisoryUrlToAdvisoryId } = require("./common");
 
 const SUPPORTED_SEVERITY_LEVELS = new Set([
   "critical",
@@ -39,9 +39,11 @@ class Model {
       return;
     }
 
-    if (this.allowlist.advisories.includes(advisory.id)) {
-      if (!this.allowlistedAdvisoriesFound.includes(advisory.id)) {
-        this.allowlistedAdvisoriesFound.push(advisory.id);
+    if (this.allowlist.advisories.includes(advisory.github_advisory_id)) {
+      if (
+        !this.allowlistedAdvisoriesFound.includes(advisory.github_advisory_id)
+      ) {
+        this.allowlistedAdvisoriesFound.push(advisory.github_advisory_id);
       }
       return;
     }
@@ -51,7 +53,7 @@ class Model {
 
     advisory.findings
       .flatMap((finding) =>
-        finding.paths.map((path) => `${advisory.id}|${path}`)
+        finding.paths.map((path) => `${advisory.github_advisory_id}|${path}`)
       )
       .filter((path) =>
         this.allowlist.paths.some((allowedPath) =>
@@ -67,7 +69,7 @@ class Model {
     const isAllowListed = advisory.findings.every((finding) =>
       finding.paths.every((path) =>
         this.allowlist.paths.some((allowedPath) =>
-          matchString(allowedPath, `${advisory.id}|${path}`)
+          matchString(allowedPath, `${advisory.github_advisory_id}|${path}`)
         )
       )
     );
@@ -85,7 +87,11 @@ class Model {
     /** NPM 6 */
 
     if (parsedOutput.advisories) {
-      Object.values(parsedOutput.advisories).forEach((a) => this.process(a));
+      Object.values(parsedOutput.advisories).forEach((a) => {
+        // eslint-disable-next-line no-param-reassign, prefer-destructuring
+        a.github_advisory_id = gitHubAdvisoryUrlToAdvisoryId(a.url);
+        this.process(a);
+      });
       return this.getSummary();
     }
 
@@ -105,6 +111,7 @@ class Model {
           if (!advisoryMap.has(via.source)) {
             advisoryMap.set(via.source, {
               id: via.source,
+              github_advisory_id: gitHubAdvisoryUrlToAdvisoryId(via.url),
               module_name: via.name,
               severity: via.severity,
               url: via.url,
@@ -198,7 +205,7 @@ class Model {
     return this.getSummary();
   }
 
-  getSummary(advisoryMapper = (a) => a.id) {
+  getSummary(advisoryMapper = (a) => a.github_advisory_id) {
     const foundSeverities = new Set();
     this.advisoriesFound.forEach((curr) => foundSeverities.add(curr.severity));
     const failedLevelsFound = Array.from(foundSeverities);

lib/allowlist.js

@@ -8,12 +8,12 @@
 class Allowlist {
   /**
    *
-   * @param {(string | number)[]} input the allowlisted module names, advisories, and module paths
+   * @param {string[]} input the allowlisted module names, advisories, and module paths
    */
   constructor(input) {
     /** @type string[] */
     this.modules = [];
-    /** @type number[] */
+    /** @type string[] */
     this.advisories = [];
     /** @type string[] */
     this.paths = [];
@@ -22,9 +22,15 @@ class Allowlist {
     }
     input.forEach((arg) => {
       if (typeof arg === "number") {
-        this.advisories.push(arg);
-      } else if (arg.includes(">") || arg.includes("|")) {
+        throw new Error(
+          "Unsupported number as allowlist. Perform codemod to update config to use GitHub advisory as identifiers: https://github.com/quinnturner/audit-ci-codemod with `npx @quinnturner/audit-ci-codemod`. See also: https://github.com/IBM/audit-ci/pull/217"
+        );
+      }
+
+      if (arg.includes(">") || arg.includes("|")) {
         this.paths.push(arg);
+      } else if (arg.startsWith("GHSA")) {
+        this.advisories.push(arg);
       } else {
         this.modules.push(arg);
       }

lib/common.js

@@ -121,8 +121,13 @@ function matchString(template, str) {
     : template === str;
 }
 
+function gitHubAdvisoryUrlToAdvisoryId(url) {
+  return url.split("/")[4];
+}
+
 module.exports = {
   runProgram,
   reportAudit,
   matchString,
+  gitHubAdvisoryUrlToAdvisoryId,
 };

lib/yarn-auditer.js

@@ -206,7 +206,7 @@ async function audit(config, reporter = reportAudit) {
     );
   }
 
-  const summary = model.getSummary((a) => a.id);
+  const summary = model.getSummary((a) => a.github_advisory_id);
   return reporter(summary, config);
 }