Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update NpmAuditParser to Handle Changes in NPM Audit v7+ Responses to Retrieve github_advisory_id #7292

Open
ronmjf opened this issue Jan 8, 2025 · 0 comments
Open

Update NpmAuditParser to Handle Changes in NPM Audit v7+ Responses to Retrieve github_advisory_id #7292

ronmjf opened this issue Jan 8, 2025 · 0 comments
Labels
enhancement

Comments

@ronmjf
Copy link

ronmjf commented Jan 8, 2025

Is your feature request related to a problem? Please describe.
The current implementation of the NpmAuditParser#parseAdvisory method retrieves the github_advisory_id by searching for this key in the npm audit response. However, with the release of npm version 7, the npm audit command accesses a new endpoint (https://registry.npmjs.org/-/npm/v1/security/advisories/bulk), which returns a different response structure compared to the previous endpoint (https://registry.npmjs.org/-/npm/v1/security/audits). Specifically, the response from the new endpoint does not include the github_advisory_id, while the older endpoint does. Instead, the github_advisory_id can be found in the CVE URLs returned by the new endpoint. This inconsistency can lead to errors or incomplete advisory processing in the application.

Describe the solution you'd like.
I propose to modify the NpmAuditParser#parseAdvisory method to accommodate the changes in the npm audit response structure. The solution would entail implementing a dual-check mechanism: first, the function would attempt to retrieve the github_advisory_id directly from the npm audit response when applicable; if not found, it would extract the github_advisory_id from the CVE URL provided in the response. This would ensure that the application can handle responses from both npm audit versions seamlessly.

Describe alternatives you've considered.
One alternative would be to maintain separate parsing logic for responses from npm audit version 6 and version 7. However, this approach could complicate the codebase and make it harder to maintain, as future updates to npm may continue to evolve the response structure. Therefore, implementing a unified parsing strategy as described above is more efficient.

Additional context
For further details, you can refer to the official npm documentation that outlines the changes in the audit endpoints and their respective response structures: npm audit documentation.

Below are images comparing the two response structures:

Npm Audit v6

Screenshot 2025-01-08 at 10 18 18

Npm Audit v7+

Screenshot 2025-01-08 at 14 18 06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ronmjf