Audit yarn dependencies with allowlist #8659
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
changelog: Internal, Static Analysis, Enhance vulnerability checks for configurable allowlist
zachmargolis
approved these changes
Jun 26, 2023
It's not the "recommended" usage per docs, but our CI setup is such that the lint would run after the initial installation anyways (per the documented "downsides"). This way, we also avoid potential issues with vulnerable dependencies of audit-ci itself, since while we can pin audit-ci version, audit-ci's dependencies use loose version ranges. With lockfile, we also expect that dependencies shouldn't change from under us. What we're missing is the ability to know that a newly-introduced package would be vulnerable prior to running the installation. https://github.com/IBM/audit-ci#set-up
|
Modified the installation approach slightly in 24468f3. See extended commit description for details. |
Merged
mdiarra3
added a commit
that referenced
this pull request
Jun 27, 2023
* LG-9815: Personal key screen success banner in GPO flow should be updated (#8630) * update copy for personal key flash message following gpo verification * verify that gpo flash message appears on personal key * changelog: User-Facing Improvements, Identity Verification, Update copy on personal key alert banner for gpo verified users * LG-9885: Restrict platform authenticator setup based on device support (#8615) * LG-9885: Restrict platform authenticator setup based on device support changelog: Upcoming Features, Face or Touch Unlock, Restrict availability of authentication method based on device support * Add coverage for Android Firefox exclusion * Fix feature specs for WebAuthn * Filter by passkey support for initial setup * Remove iPad checks See: #8615 (comment) * Fix lint error * Add spec coverage for passkey_supported_only See: #8615 (comment) * Move initialized setter to connectedCallback * Try to fix specs Maybe there's some strange ordering/context. This should be simpler anyways * LG-8534: remove toggle (#8286) * update status * changelog: User-Facing Improvements, Authentication, Forgot Password url doesnt show password token * remove unneded schema * add spec on reset controller * reset password controller update * fix tests * update url * rubocop * rspec for new logic * rubocop * remove unneeded route * update application.yml * add test for both toggle on and off * update spec * refactor to move edit and storing session only on toggle * only delete on success or redirect * rspec and rubocop fixes * changelog: Internal, Authentication, remove Feature toggle * remove toggle * fix merge issues * fix password token * remove toggle references * fix reset password token * fix password * fix rspec * Add guard for suspending user with no unique session ID (#8636) **Why**: OutOfBandSessionAccessor will error with nil id [skip changelog] * LG-10151 Add handle_fraud to IdvStepConcern before actions (#8632) * Add handle_fraud to IdvStepConcern before actions changelog: Internal, Flow State Machine removal, call handle_fraud from step concern * Add WelcomeController spec to confirm please call redirect * LG-9727 Add a fraud_pending_reason_column (#8635) This commit adds a column for holding the reason that a user is fraud pending. This commit also clears the fraud review pending reason if it exists when the profile is activated after fraud review. In order to maintain consistency the commit that adds the fraud review pending reason will need to follow this one in a different deploy. changelog: Internal, Fraud Review, A fraud_pending_reason column was added to track the reason that a user entered the fraud review process. * LG-10066 (#8612) changelog: Bug Fixes, Profile States, ensure verified_at timestamp only updated once Co-authored-by: Kimball Bighorse <kimball.bighorse@gsa.gov> * Update mobile dev docs (#8640) * update mobile dev docs * [skip changelog] * respond to feedback * Add contributing guidelines for code review (#8646) * Add contributing guidelines for code review changelog: Internal, Documentation, Add code review contributing guidance * Use org-qualified name for team Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Fix typo Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov> * Add instructions on joining interest group team --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov> * LG-10055 Do not change CSP or render TMx JS for specific users (#8644) We have code that modifies the CSP and renders special javascript on the SSN page for device profiling. We are planning a test to see how this page performs if the CSP changes are not in place or if the device profiling javascript is not enabled. This commit adds 2 new configs: - `idv_tmx_test_csp_disabled_emails`: A list of emails for which the CSP changes are not made - `idv_tmx_test_js_disabled_emails`: A list of emails for which the JS is not loaded These configs are empty by default. After this commit, adding an email address will cause the desired effect for a user with that email. These lists are only intended to be populated in the staging environment. After the test this change should be reverted. changelog: Internal, Threatmetrix Test, The idv_tmx_test_csp_disabled_emails and idv_tmx_test_js_disabled_emails were added to test scenarios where Threatmetrix CSP changes are not applied and where Threatmetrix Javascript is not loaded respectively for the set of users specificed in the config along with the changes to the code to enable those changes for those users. * LG-9727 Add a job to backfill the `fraud_pending_reason` column (#8642) This commit adds a job to backfill the `fraud_pending_reason` column. It uses the value in the proofing components and defaults to `threatmetrix_review` if it finds an unexpected value. Once the backfill job is run there should be no columns that are fraud pending without a `fraud_pending_reason` value. Note that #8638 is related to this PR. This PR does not depend on the changes in that PR to work. However, if this backfill job is run before those changes are deployed then profiles that are fraud review pending could be created without a pending reason. As a result we should wait until that PR is deployed to run this backfill. changelog: Internal, Fraud Review, A backfill job was added to write the value of the threatmetrix reivew status or a default value of threatmetrix_review into the fraud_review_reason column for profiles that have either a non-null fraud_review_pending_at or fraud_rejection_at value * LG-10147 Redirect After Try again when resolution fails (#8631) * LG-10147 Updated url if in person verify_info_controller is enabled * LG-10147 Write spec to test resolution failure * LG-10147 Updated shared concern to pass in param if in person * changelog: Upcoming Features, In-person proofing, redirect to /verify/in_person/verify_info on Try again after resolution fails rather than /document_capture * Moved logic to determine flow out of shared concern * Added spec if resolution passes * Redo Service Provider email notification (#8594) * Revert "Revert "Send email for ExtraServiceProviderError instead of notifying NewRelic (#8559)" (#8590)" This reverts commit f6e7ce1. changelog: Internal, Errors, Send email instead of alerting NewRelic for extra service providers * Switch to deliver_now **Why**: error classes don't serialize well for background jobs, this is simpler * Document country code parameter with phone reCAPTCHA result (#8649) * Document country code parameter with phone reCAPTCHA result changelog: Internal, Analytics, Improve documentation for reCAPTCHA analytics result * Compact to avoid logging nil * Update spec assertions for compacted analytics * Update add_phone_spec.rb * LG-10152 check for outage in idv step concern (#8643) * Add check_for_outage to IdvStepConcern changelog: Internal, Refactor, add check_for_outage to IdvStepConcern * Remove OutageConcern and before action from post-FSM controllers Also remove IdvSession and before_action :confirm_two_factor_authenticated which are in IdvStepConcern * Check for outage before_action in controller specs And remove outdated spec from ssn_controller_spec that checks for nil flow_session, since we are initializing flow_session to {} * Remove IdvSession from address_controller * Review Apps in Gitlab (#8470) * vendor idp helm chart * Integrate review app ci * add changelog changelog: Internal, Continuous Integration, Build review applications for pull requests * Add worker image and tag Co-authored-by: Stephen Shelton <stephen.shelton@gsa.gov> * Add worker env Co-authored-by: Stephen Shelton <stephen.shelton@gsa.gov> * heredoc --------- Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov> Co-authored-by: Stephen Shelton <stephen.shelton@gsa.gov> * LG-10181 Gpo_only_warning fixes for welcome controller (#8648) * Allow nil flow_session in gpo_only_warning and add spec * Update welcome path for new controller, add specs changelog: Internal, Outage handling, allow nil flow_session in mail only warning page * Redirect to idv_url instead of directly to welcome url * Initialize flow_session in idv_controller * Add mail only warning visited analytics event * Use conventional Sass syntax for modules (#8651) * Use Sass module syntax for imports * Rename "all" stylesheets "index" * [skip changelog] * Revert foundation-emails Sass modules syntax changelog: Need to configure via "use with" syntax, more involved * Refactor WebAuthn enrollment to package function (#8650) * Refactor WebAuthn enrollment to package function changelog: Internal, Code Quality, Consolidate WebAuthn code * Defer responsibility of filtering split credentials * Simulate human-readable spec values with helpers See: #8650 (comment) Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Initialize flow_session when it is first used (#8658) * Initialize flow_session when it is first used * Use flow_session method everywhere, move it to IdvSessionConcern changelog Internal, Identity Verification, initialize flow_session when it is first used * LG-9869: Allow users to show information via reauthentication in account profile (#8516) * changelog: Bug Fixes, Account information, Show non obfuscated view when u reauthenticate * LG-9869: allow authenticate to view work * remove unneeded methods * reauthn fix * add rspec to check that functionality is working * just do reauthntication context * user profile spec updates * failing tests fix * email preference * reauthn redirects to two_factor_login_path * user profile spec dob * fix profile * fix email language spec * fix rubocop * use a reverity to show controller to reauthenticate * revert back mfa confirmation controller * pii confirmation * Add reauthenticate option that works for verifying profile * update pii routes * add feature toggle * remove dev and test prod stuff * change to put method in accounts controller * remove reauthentication spec * added additional comment * Audit yarn dependencies with allowlist (#8659) * Audit yarn dependencies with allowlist changelog: Internal, Static Analysis, Enhance vulnerability checks for configurable allowlist * Install audit-ci as devDependency It's not the "recommended" usage per docs, but our CI setup is such that the lint would run after the initial installation anyways (per the documented "downsides"). This way, we also avoid potential issues with vulnerable dependencies of audit-ci itself, since while we can pin audit-ci version, audit-ci's dependencies use loose version ranges. With lockfile, we also expect that dependencies shouldn't change from under us. What we're missing is the ability to know that a newly-introduced package would be vulnerable prior to running the installation. https://github.com/IBM/audit-ci#set-up * Remove WelcomeController 404 before_action (#8661) changelog: Internal, Identity Verification, Remove WelcomeController 404 before_action * Upgrade Rails to 7.0.5.1 (#8666) changelog: Internal, Dependencies, Update dependencies to resolve security advisories --------- Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov> Co-authored-by: Jonathan Hooper <jonathan.hooper@gsa.gov> Co-authored-by: Eric Gade <105373963+eric-gade@users.noreply.github.com> Co-authored-by: Kimball Bighorse <kimball.bighorse@gsa.gov> Co-authored-by: eileen-nava <80347702+eileen-nava@users.noreply.github.com> Co-authored-by: gina-yamada <125507397+gina-yamada@users.noreply.github.com> Co-authored-by: Alex Kritikos <alex.kritikos@gsa.gov> Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov> Co-authored-by: Stephen Shelton <stephen.shelton@gsa.gov>
|
Update as of today for removing the allowlist entry:
|
|
Follow-up to remove allowlist: #8752 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
馃洜 Summary of changes
Adds
audit-cipackage as a replacement tool for NPM package audits, to work around a current security advisory flagged forsemver. This is intended to be a temporary fix for a vulnerability for which the risk is very low, since conflicts between packages make upgrading infeasible (specifically,semveris only patched at 7.x, and many other dependencies likeeslint-plugin-importare pinned to lower versions).To enforce this being a temporary fix, an expiration has been added for the allowlist to expire on September 1st.
Related Slack discussion: https://gsa-tts.slack.com/archives/C0NGESUN5/p1687791623479719
馃摐 Testing Plan
make audit_yarn_packages