Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix/fix deprecated packages #276

Merged
merged 10 commits into from
Jan 10, 2024
Merged

Bugfix/fix deprecated packages #276

merged 10 commits into from
Jan 10, 2024

Conversation

lostunicorn
Copy link
Contributor

@lostunicorn lostunicorn commented Jan 3, 2024
edited
Loading

Update dependencies to fix a number of vulnerabilities reported by npm audit + use non-deprecated packages

This pull request makes the following changes:

  • bump uuid to non-deprecated version
  • bump istanbul-lib-process-info & friends to no longer use a deprecated version of uuid
  • bump graceful-fs from 4.2.7 to 4.2.11 to fix vulnerability
  • bump ansi-regex from 3.0.0 to 3.0.1 to fix vulnerability
  • bump get-func-name from 2.0.0 to 2.0.2 to fix vulnerability
  • bump json5 from 2.2.0 to 2.2.3 to fix vulnerability
  • bump @babel/traverse from 7.15.0 to 7.23.7 to fix vulnerability
  • bump minimist from 1.2.5 to 1.2.8 to fix vulnerability
  • added myself to CONTRIBUTORS.md

Was on the fence about regenerating the entire yarn.lock file, but decided in favor of incremental changes

It relates to the following issue #s:

cc @bhamail / @DarthHater / @allenhsieh / @ken-duck

@bhamail
Copy link
Contributor

bhamail commented Jan 4, 2024

Thanks for this contribution! It looks good to me.

I need to figure out a way to get the CI build working w/out need to access the context object. Worst case, I'll try to manually validate the build later this week.

@bhamail
Copy link
Contributor

bhamail commented Jan 4, 2024

@lostunicorn Would you mind pulling/merging the latest changes from main (.circleci/config.yml) into this PR? I'd like to see if removing the slack/notify fixed the CI build issue (and want to ensure your PR can build on it's own).

@bhamail
Copy link
Contributor

bhamail commented Jan 5, 2024
edited
Loading

Thanks. Looks like the CI build succeeded, but the test step seems to have an issue: https://app.circleci.com/pipelines/github/sonatype-nexus-community/auditjs/1973/workflows/5a2c6a82-a984-483e-a974-6d7201b94ec5/jobs/2089
I will try to look at this more later, but I thought you might want to give a quick look to see if you see a cause.

yarn run v1.22.19
$ MOCHA_FILE=./reports/test-results.xml mocha -r ts-node/register src/**/*.spec.ts --reporter mocha-junit-reporter
Error: EBADF, bad file descriptor
    at Binding.getDescriptorById (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:309:11)
    at Binding.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:792:29)
    at maybeCallback (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:82:18)
    at Binding.writeBuffer (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:791:10)
    at BaseObject.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/index.js:37:39)
    at Object.write (node:fs:852:20)
    at WriteStream.writeAll (node:internal/fs/streams:398:13)
    at WriteStream._write (node:internal/fs/streams:457:12)
    at writeOrBuffer (node:internal/streams/writable:392:12)
    at _write (node:internal/streams/writable:333:10)
    at WriteStream.Writable.end (node:internal/streams/writable:612:17)
    at RollingFileStream._final (/home/circleci/auditjs/node_modules/streamroller/lib/RollingFileWriteStream.js:127:28)
    at callFinal (node:internal/streams/writable:698:12)
    at prefinish (node:internal/streams/writable:710:7)
    at finishMaybe (node:internal/streams/writable:720:5)
    at afterWrite (node:internal/streams/writable:507:3)
    at onwrite (node:internal/streams/writable:480:7)
    at /home/circleci/auditjs/node_modules/streamroller/lib/RollingFileWriteStream.js:140:9
    at afterWrite (node:internal/streams/writable:500:5)
    at onwrite (node:internal/streams/writable:480:7)
    at node:internal/fs/streams:465:5
    at node:internal/fs/streams:421:7
    at FSReqCallback.wrapper [as oncomplete] (node:fs:822:5) {
  code: 'EBADF',
  errno: -9
}
log4js.fileAppender - Writing to file /home/circleci/.ossindex/.auditjs.combined.log, error happened  Error: EBADF, bad file descriptor
    at Binding.getDescriptorById (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:309:11)
    at Binding.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:792:29)
    at maybeCallback (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:82:18)
    at Binding.writeBuffer (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:791:10)
    at BaseObject.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/index.js:37:39)
    at Object.write (node:fs:852:20)
    at WriteStream.writeAll (node:internal/fs/streams:398:13)
    at WriteStream._write (node:internal/fs/streams:457:12)
    at writeOrBuffer (node:internal/streams/writable:392:12)
    at _write (node:internal/streams/writable:333:10)
    at WriteStream.Writable.end (node:internal/streams/writable:612:17)
    at RollingFileStream._final (/home/circleci/auditjs/node_modules/streamroller/lib/RollingFileWriteStream.js:127:28)
    at callFinal (node:internal/streams/writable:698:12)
    at prefinish (node:internal/streams/writable:710:7)
    at finishMaybe (node:internal/streams/writable:720:5)
    at afterWrite (node:internal/streams/writable:507:3)
    at onwrite (node:internal/streams/writable:480:7)
    at /home/circleci/auditjs/node_modules/streamroller/lib/RollingFileWriteStream.js:140:9
    at afterWrite (node:internal/streams/writable:500:5)
    at onwrite (node:internal/streams/writable:480:7)
    at node:internal/fs/streams:465:5
    at node:internal/fs/streams:421:7
    at FSReqCallback.wrapper [as oncomplete] (node:fs:822:5) {
  code: 'EBADF',
  errno: -9
}
log4js.fileAppender - Writing to file /home/circleci/.ossindex/.auditjs.combined.log, error happened  Error: EBADF, bad file descriptor
    at Binding.untrackDescriptorById (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:331:11)
    at Binding.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:527:10)
    at maybeCallback (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:82:18)
    at Binding.close (/home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:526:10)
    at BaseObject.<anonymous> (/home/circleci/auditjs/node_modules/mock-fs/lib/index.js:37:39)
    at Object.close (node:fs:529:11)
    at Object.close (/home/circleci/auditjs/node_modules/graceful-fs/graceful-fs.js:54:23)
    at close (node:internal/fs/streams:117:17)
    at WriteStream._destroy (node:internal/fs/streams:510:5)
    at _destroy (node:internal/streams/destroy:109:10)
    at WriteStream.destroy (node:internal/streams/destroy:71:5)
    at WriteStream.Writable.destroy (node:internal/streams/writable:897:11)
    at errorOrDestroy (node:internal/streams/destroy:200:12)
    at onwriteError (node:internal/streams/writable:425:3)
    at onwrite (node:internal/streams/writable:460:7)
    at node:internal/fs/streams:465:5
    at node:internal/fs/streams:406:14
    at FSReqCallback.wrapper [as oncomplete] (node:fs:822:5)
    at /home/circleci/auditjs/node_modules/mock-fs/lib/binding.js:88:9
    at processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'EBADF',
  errno: -9
}
Done in 3.71s.

@lostunicorn
Copy link
Contributor Author

@bhamail I can't reproduce the error on my machine

yarn run test-ci works

user@debian:~/3rdparty/auditjs$ yarn run test-ci
yarn run v1.22.21
$ MOCHA_FILE=./reports/test-results.xml mocha -r ts-node/register src/**/*.spec.ts --reporter mocha-junit-reporter
Done in 3.97s.

and yarn run test works

user@debian:~/3rdparty/auditjs$ yarn run test
yarn run v1.22.21
$ mocha -r ts-node/register src/**/*.spec.ts


  Application
    ✓ merges both CLI and config options for auditWithOSSIndex, with CLI taking precedence (848ms)

  AuditIQServer
    ✓ should provide a true value if IQ Server Results have policy violations (289ms)
    ✓ should provide a true value if IQ Server Results have an isError value
    ✓ should provide a false value if IQ Server Results have no policy violations

  AuditOSSIndex
    ✓ should return true if OSS Index results have vulnerabilities
    ✓ should return true if OSS Index results have vulnerabilities, and json print is chosen (77ms)
    ✓ should return false if OSS Index results have no vulnerabilities
    ✓ should return false if OSS Index results have no vulnerabilities, and json print is chosen

  IqServerConfig
    ✓ should return true when it is able to save a config file (209ms)

  OssIndexServerConfig
    ✓ should return true when it is able to save a config file
    ✓ should return undefined when property does not exist

  CycloneDXSbomCreator
    ✓ should create an sbom string given a minimal valid object
    ✓ should create a spartan sbom string given a minimal valid object

  IQRequestService
    ✓ should have it's third party API request rejected when the IQ Server is down
    ✓ should respond with an error if the response for an ID is bad
    ✓ should have it's third party API request accepted when the IQ Server is up
    ✓ should have it's third party API request rejected when IQ Server is up but API gives bad response
    ✓ should have return a proper result when polling IQ Server and the request is eventually valid

  OssIndexRequestService
    ✓ should have its request rejected when the OSS Index server is down
    ✓ should return a valid response when given a valid component request

  RequestHelpers
    ✓ should return a valid user agent from getUserAgent
    ✓ getAgent() should return undefined when no env variable is set
    ✓ getAgent() should return a proxy httpAgent when env variable is set
    ✓ getAgent() should return an insecure httpAgent
    ✓ should return an httpAgent when env variable is set
    ✓ should return undefined when no env variable is set

  VulnerabilityExcluder
    ✓ should filter vulnerabilities given a valid auditjs.json
    ✓ should filter some vulnerabilities given a valid auditjs.json
    ✓ should not filter vulnerabilities given a valid auditjs.json with an id that does not match
    ✓ should just return the original results and not barf all over itself if the auditjs.json file is malformed
    ✓ should return original results if no auditjs.json exists


  31 passing (2s)

Done in 4.80s.

Is it possible there's a circleci issue that prevents writing to /home/circleci/.ossindex/.auditjs.combined.log ? Why that issue wouldn't occur on the main branch is a mystery to me though...

@bhamail
Copy link
Contributor

bhamail commented Jan 10, 2024

@lostunicorn I ran your branch locally, and the tests are fine there too, so I'm gonna merge this puppy and we'll deal with any surprises on 'main' if they occur. Fingers crossed. ;)

@bhamail bhamail merged commit 698b380 into sonatype-nexus-community:main Jan 10, 2024
@brent-spiner
Copy link

🎉 This PR is included in version 4.0.44 🎉

The release is available on:

Your semantic-release bot 📦🚀

@lostunicorn
Copy link
Contributor Author

Thx @bhamail 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] use of deprecated packages + vulnerable package versions
3 participants
@lostunicorn @bhamail @brent-spiner