6

I would like to run the npm command npm audit as part of the ci build and somehow display the output in a jenkins ci build.

If a critical vulnerability is found, I would like to fail the current build by returning a non zero exit code.

dagda1
  • 26,856
  • 59
  • 237
  • 450
  • Can you please elaborate your question? – Sachin Yadav Oct 11 '19 at 15:46
  • Was this for a personal project or with a team? If it was with a team, did you end up implementing this? I'm confused why you would want the build to fail. Wouldn't it require all PR authors to make the same fix in each PR branch before successfully building? – michaelAdam Mar 31 '21 at 06:31

2 Answers2

2

I don't know of any plugins that would achive this but some manual parsing might work(if you are using a pipeline).

def output = sh script: "npm audit", returnStdout: true
def summary = output.split("\n")[-1] //get the summary from the last line
...

You then could use some regex or other string manipulation to find the number after critical. You also could use archiveArtifacts to save the entire output in the build history.

smelm
  • 1,253
  • 7
  • 14
2

Inspired on this post, I've realized this by creating a custom 'Compiler Warnings parser';

  1. install Warnings Plugin
  2. configure custom parser:
    Manage Jenkins -> Configure System -> 'Compiler Warnings' section
    Name: NPM audit analyzer
    Link name: NPM audit analyzer
    Trend report name: Detected Vulnerabilities
    Regular Expression: [\w+-]+\s+([\w+-]+)\s+([\w\.-@]+)\s+(>=\s)*([\w\.-@]+)\s+(.+?(?=http))([\w\.-@]+)\s+(.*)
    Mapping script: 
import hudson.plugins.warnings.parser.Warning  
import hudson.plugins.analysis.util.model.Priority

priority = Priority.HIGH;
if ( "low" == matcher.group(2)  ) {
    priority = Priority.LOW;
}
else if ( "moderate" == matcher.group(2) ) {
    priority = Priority.NORMAL;
}

String msg = "Vulnerability found in '" + matcher.group(1) + "' (" + matcher.group(6) + ") , prio: " + matcher.group(2) + " Fix: " + matcher.group(5) + " info: " + matcher.group(5);  
return new Warning('package.json', 0, 'NSP Warning', matcher.group(1), msg, priority);
  1. configure job;
  2. Add Execute shell build step:
npm install  
# parseable report for 'compile warning post build step'  
npm audit --parseable >> npm_audit_report_parseable.txt || true # suppress npm audit error code
  1. Add [Deprecated] Scan for compiler warnings post build step:
    'Scan workspace files' -> File patters: npm_audit_report_parseable.txt
    'Scan workspace files' -> Parser: NPM audit analyzer

Optionally you can configure 'Health/Status thresholds'; this determines when a build fails, and when it is marked as unstable.

Another solutions: use the Dependency-Check Plugin

  1. install Dependency-Check Plugin
  2. configure a 'Dependency-Check' global tool:
    Manage Jenkins -> Global Tool Configuration -> 'Dependency-Check' -> 'Add Dependency-Check'
  3. configure job;
  4. Add Invoke Dependency-Check build step:
    Dependency-Check installation: choose the configured global tool
    I also configured additional Arguments --scan /non/existing/dir to avoid finding exploits in installed package related files like 'demo', 'docs', etc. because the 'dependency check plugin' performs a full recursive file scan which we do not need because the npm scanner finds the 'npm audit' findings already.
  5. Add Publish Dependency-Check results post build step:
    XML Report: **/dependency-check-report.xml
R. Oosterholt
  • 7,720
  • 2
  • 53
  • 77