Implement npm audit endpoints
🍀 Context
While executing npm audit
there are two cases:
- GitLab npm Registry is neither set globally nor explicitly for
npm audit
:npm audit --registry <registry>
. - GitLab npm Registry is either set globally or explicitly for
npm audit
:npm audit --registry <registry>
.
With (1.) npm
will perform a call to registry.npmjs.org
with the list of installed packages including all private packages from GitLab or other sources.
With (2.) npm
will perform a call to GitLab npm Registry with the list of installed packages including all private packages from GitLab or other sources. GitLab npm Registry doesn't know how to handle the requests from npm audit
command and fail.
This MR addresses the (2.)
According to the docs npm audit
will create two consecutive requests:
-
Bulk advisory
POST /-/npm/v1/security/advisories/bulk
-
Quick audit
POST /-/npm/v1/security/audits/quick
As of version 7, npm
uses the faster Bulk Advisory endpoint to optimize the speed of calculating audit results and the second request is a fallback and only happens in case the first request is failed.
🔎 What does this MR do and why?
This MR introduces four new endpoints: two on the instance level and two on the project level.
Instance level
-
POST /api/v4/packages/npm/-/npm/v1/security/advisories/bulk
-
POST /api/v4/packages/npm/-/npm/v1/security/audits/quick
Project level
-
POST /api/v4/projects/:project_id/packages/npm/-/npm/v1/security/advisories/bulk
-
POST /api/v4/projects/:project_id/packages/npm/-/npm/v1/security/audits/quick
Depending on the setup of registry url (instance or project prefix) npm audit
will perform a call to GitLab npm Registry with the list of installed packages including all private packages from GitLab or other sources. The payload is a JSON
but compressed with Gzip
. After that we have two scenarios:
-
The forwarding of request is allowed by user, then we will propagate a request forward to
registry.npmjs.org
with all information.registry.npmjs.org
will return a report about known vulnerability for found packages. -
The forwarding of request isn't allowed by user, then we will return
[]
since we don't scan packages for known vulnerabilities yes.
📷 Screenshots or screen recordings
Reported vulnerability
🔬 How to set up and validate locally
-
Prepare a package
def fixture_file_upload(*args, **kwargs) Rack::Test::UploadedFile.new(*args, **kwargs) end FactoryBot.create(:npm_package, project: Project.first)
-
Grab required information
Packages::Package.last.name
Write it down somewhere or remember - it will be required at the later step.
-
Use
root
user and create a new project, for instancehello-npm
, in a new or existing group, for instancegitlab-org
.
For the sake of simplicity I will reference withhello-npm
as a project andgitlab-org
as a group later, but it can be whatever you choose. -
Create a new npm package on your machine
mkdir hello-npm cd hello-npm touch .tool-versions echo nodejs 16.15.0 > .tool-versions npm init
Note: while generating a new npm package, answer yes/ok on the all questions.
-
Edit package's name in
package.json
file to contain GitLab's group and package's name:"name": "@gitlab-org/hello-npm"
-
Authenticate to the Package Registry:
# Set URL for your scoped packages. npm config set @gitlab-org:registry http://gdk.test:3000/api/v4/packages/npm/ # Replace <your_token> with your token. npm config set -- '//gdk.test:3000/api/v4/packages/npm/:_authToken' "<your_token>"
Note:
gdk.test:3000
is a host with running GitLab instance. -
Install two packages to
hello-npm
.7.1 Private package created in the step (1.) and name taken in the step (2.)
npm install @gitlab-org/package-1
7.2 Public package with known vulnerability
npm install connect@1.8.1
Note 1: there is a known security vulnerability which was fixed in 1.8.2
Note 2: while installing a package
npm
will perform an audit and report any known vulnerabilities -
Run audit using GitLab npm Registry and check the report
npm audit --registry http://gdk.test:3000/api/v4/packages/npm/
✅ MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #227756 (closed)