Merge pull request #236 from hmcts/RDM-5330_ng_audit

RDM-5301 - yarn audit with suppression script

.gitignore

@@ -49,4 +49,7 @@ integration_test/target
 *.iml
 
 # Visual Studio Code files
-.history/
+.history/
+
+# Yarn audit issues
+yarn-audit-issues

Jenkinsfile_CNP

@@ -43,6 +43,8 @@ withPipeline("nodejs", product, component) {
     overrideVaultEnvironments(vaultOverrides)
     loadVaultSecrets(secrets)
 
+    before('securitychecks') {sh 'yarn test:audit'}
+
     enableDockerBuild()
     installCharts()
 

Jenkinsfile_parameterized

@@ -11,6 +11,8 @@ properties([
 withParameterizedPipeline('nodejs', 'ccd', 'api-gateway-web', params.ENVIRONMENT, 'sandbox') {
     enableSlackNotifications('#ccd-param-builds')
 
+    before('securitychecks') {sh 'yarn test:audit'}
+
     afterCheckout {
         sh "yarn cache clean"
     }

bin/run-yarn-audit.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set +e
+yarn audit
+result=$?
+set -e
+
+if [[ "$result" != 0 ]]; then
+  if [[ -f yarn-audit-known-issues ]]; then
+    set +e
+    yarn audit --json | grep auditAdvisory > yarn-audit-issues
+    set -e
+    new_vulnerabilities=false
+    while read -r line; do
+        url=$(node -pe 'JSON.parse(process.argv[1]).data.advisory.url' "$line")
+        if ! grep -q "$url" yarn-audit-known-issues; then
+          echo "unknown vulnerability:$url"
+          new_vulnerabilities=true
+        fi
+    done < yarn-audit-issues
+
+    if [[ "$new_vulnerabilities" = true ]] ; then
+      echo
+      echo Security vulnerabilities were found that were not ignored
+      echo
+      echo Check to see if these vulnerabilities apply to production
+      echo and/or if they have fixes available. If they do not have
+      echo fixes and they do not apply to production, you may ignore them
+      echo
+      echo To ignore these vulnerabilities, please add advisories urls
+      echo "to yarn-audit-known-issues (eg: https://npmjs.com/advisories/755)"
+      echo
+      echo and commit the yarn-audit-known-issues file.
+
+      exit "$result"
+    fi
+
+    fi
+fi

package.json

@@ -14,6 +14,7 @@
     "test:unit": "NODE_ENV=test NODE_PATH=. mocha 'test/**/*.spec.js' --reporter spec --recursive",
     "test:coverage": "NODE_ENV=test NODE_PATH=. istanbul cover _mocha 'test/**/*.spec.js'",
     "test:acceptance": "echo 'TODO - CALL JAVA INTEGRATION TEST'",
+    "test:audit": "./bin/run-yarn-audit.sh -f yarn-audit-known-issues",
     "test:nsp": "NODE_PATH=. nsp check",
     "test:smoke": "echo SMOKE TESTS NOT CONFIGURED",
     "test:functional": "echo 'TODO - FUNCTIONAL TEST'",
@@ -34,7 +35,8 @@
     "form-data": "^2.1.4",
     "http-proxy-middleware": "^0.17.4",
     "https-proxy-agent": "^2.2.1",
-    "js-yaml": "^3.8.4",
+    "js-yaml": "^3.13.1",
+    "lodash": "^4.17.4",
     "jwt-decode": "^2.2.0",
     "node-fetch": "^1.7.0",
     "otp": "^0.1.3"
@@ -53,7 +55,7 @@
     "moment": "^2.22.1",
     "nock": "^10.0.6",
     "nsp": "^3.2.1",
-    "pa11y": "^5.0.4",
+    "pa11y": "^5.2.0",
     "proxyquire": "^2.0.1",
     "should": "^13.2.3",
     "should-http": "^0.1.0",
@@ -62,5 +64,12 @@
     "sinon-express-mock": "^2.0.0",
     "sonar-scanner": "^3.1.0",
     "supertest": "^3.0.0"
+  },
+
+  "resolutions": {
+    "braces": "^2.3.2",
+    "js-yaml": "3.13.1",
+    "lodash": "^4.17.4",
+    "handlebars": "^4.1.2"
   }
 }