Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add optional flag that allows skipping npm audit checks with OWASP dependency-check scanner #214

Merged
merged 5 commits into from
Jan 19, 2024
Merged

fix: add optional flag that allows skipping npm audit checks with OWASP dependency-check scanner #214

merged 5 commits into from
Jan 19, 2024

Conversation

ravi-m-bah
Copy link
Contributor

@ravi-m-bah ravi-m-bah commented Jan 15, 2024
edited
Loading

PR Details

Allow users to skip npm auditing via flag.

Description

This allows skipping npm audit checks. The core error returned for us (needing us to add this flag to optionally skip this test):

Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.

This can be tested independently. This is mainly because tests can fail because of possible bugs upstream with the OWASP dependency checker itself (it appears to be brittle/flaky/unknown in why it tends to error):

https://github.com/search?q=repo%3Ajeremylong%2FDependencyCheck+Could+not+perform+Node+Audit+analysis.+Invalid+payload+submitted+to+Node+Audit+API&type=issues

They vary from duplicated dependencies (which npm may allow, but the npm audit may not, which owasp does not honor by avoiding deduplication) to simply unknown/major version releases.

How Has This Been Tested

This was tested manually in a jenkins setup with @ltdonner-bah's review.

Types of Changes

  • Docs change / refactoring / dependency upgrade
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I am submitting this pull request to the appropriate branch
  • I have labeled this pull request appropriately
  • I have updated the documentation accordingly.
  • All new and existing tests passed.

@ravi-m-bah ravi-m-bah added documentation Library documentation add/update bug fix labels Jan 15, 2024
@ravi-m-bah ravi-m-bah changed the title Mr node audit flag fix: add optional flag that allows skipping npm audit checks with OWASP dependency-check scanner Jan 15, 2024
@ravi-m-bah ravi-m-bah force-pushed the MR-node-audit-flag branch 3 times, most recently from d614a4e to af7b480 Compare January 15, 2024 16:02
@ravi-m-bah @ltdonner-bah
chore: update libraries/owasp_dep_check/README.md on typo
63e10d7 
Co-authored-by: ltdonner-bah <141174159+ltdonner-bah@users.noreply.github.com>
@ravi-m-bah ravi-m-bah marked this pull request as ready for review January 16, 2024 16:01
@ravi-m-bah ravi-m-bah merged commit a2186fa into boozallen:main Jan 19, 2024
3 checks passed
@ravi-m-bah ravi-m-bah deleted the MR-node-audit-flag branch January 19, 2024 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ltdonner-bah ltdonner-bah ltdonner-bah approved these changes

Assignees
No one assigned
Labels
bug fix documentation Library documentation add/update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ravi-m-bah @ltdonner-bah