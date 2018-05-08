Node Security helps you keep your node applications secure. With Node Security you can:
npm install -g nsp
nsp --help to find out more.
The results of the
check command may be altered based on either a
filter or
threshold.
--filter: hide all vulnerabilities below the given CVSS score
--threshold: display all vulnerabilities, but only exit with an error code if at least one finding has a CVSS score above the given value
The CLI tool exits with the following codes to signify state
You can adjust how the client outputs findings by specifying one of the following built in reporters:
Example:
nsp check --reporter summary
Additionally, you can use third-party reporter. The packages of custom reporters must adhere to the naming scheme
nsp-reporter-<name> and can then be referenced by that name:
$ npm install -g nsp nsp-reporter-checkstyle
$ nsp check --reporter checkstyle
Please note that in case of naming conflicts built-in reporters (as listed above) take precedence. For instance,
nsp-reporter-json would never be used since nsp ships with a
json formatter.
A custom reporter should be a module named with the prefix
nsp-reporter-, it must export two functions at minimum
error and
success.
The
error function accepts two arguments,
(err, args) where
err is an
Error object representing the failure that occurred during whatever command may have been run, and
args is an object representing all of the
command line arguments that were passed to the CLI at run time.
The
success function also accepts two arguments
(result, args) where
args is the same CLI arguments and
result is an object with these three properties:
message: a string summary of the command's result
data: the actual result of the command, the shape of this parameter varies for each command
meta: detailed information from behind the scenes (response headers, etc)
In addition to the top level
success and
error functions, specific handlers may be specified for each command that the CLI tool handles. For example
exports.error = function (err, args) {
// run for all failures of any command
};
exports.success = function (result, args) {
// run for success of any command _except_ for 'check'
};
exports.check = {};
exports.check.success = function (result, args) {
// run for success of _only_ the 'check' command
};
Any of these functions may return a Promise if they perform any asynchronous actions to guarantee that they complete before the process exits. If the returned Promise rejects, the
error handler will also be called with the
result of the rejected Promise.
You may also alter a project's
package.json,
npm-shrinkwrap.json and/or
package-lock.json by using an input preprocessor.
The default, built in, preprocessor simply reads these files and returns their JSON parsed content as-is. You can use a third party preprocessor like so:
nsp check --preprocessor example which, much like third party reporters
would attempt to require the module
nsp-preprocessor-example. If the given preprocessor is not found, the default will be used.
A custom preprocessor should be a module named with the prefix
nsp-preprocessor-. It must export an object where each property is the name of a command executable by the
nsp script. The value of each of these properties must
be a function that accepts a single argument
args which represents the command line arguments passed at execution time, it must return a promise modifying or extending the
args object.
Example:
module.exports = {
check: function (args) {
// do something to read or generate package.json, npm-shrinkwrap.json and package-lock.json
// the path to the project can be found as `args.path`
// `pkg` must be the JSON parsed contents of package.json
// `shrinkwrap` must be the JSON parsed contents of npm-shrinkwrap.json, if it exists. this may be left out.
// `packagelock` must be the JSON parsed contents of package-lock.json, if it exists. this may also be left out.
return Object.assign(args, { pkg, shrinkwrap, packagelock });
}
};
The Node Security CLI supports adding exceptions. These are advisories that you have evaluated and personally deemed unimportant for your project.
There are two ways to leverage this capability, online or offline. To use online exceptions, register your project on our online portal. From there you can manage your exceptions from a central location.
In order to inform the CLI tool that it should use these settings, you'll have to create a settings file (and login if your project is private). You'll need both the organization name and the UUID for your project, these can be
retrieved from the URL from our portal. For example, if your project is hapi and your project URL is https://nodesecurity.io/orgs/hapi/projects/2a6e5642-b7a1-4b93-b8fb-21c1a5043f42 then your
organization name is
hapi and your project UUID is
2a6e5642-b7a1-4b93-b8fb-21c1a5043f42.
Using that information, create a
.nsprc file with the following content:
{
"org": "hapi",
"integration": "2a6e5642-b7a1-4b93-b8fb-21c1a5043f42"
}
When you next run
nsp check your exceptions will be retrieved from online. If your project is a private one, you will additionally need to run
npm login which will create another
.nsprc file in your home directory with an
authentication token that will allow the CLI tool to look up your settings.
For offline exceptions, create a
.nsprc file in the root of your project with content like the following:
{
"exceptions": ["https://nodesecurity.io/advisories/12"]
}
The URLs used in the array should match the advisory link that the CLI reports. With this in place, you will no longer receive warnings about any advisories in the exceptions array.
Be careful using this feature. If you add code later that is impacted by an excluded advisory, Node Security has no way of knowing. Keep a careful eye on your exceptions.
.nsprc is read using rc, so it supports comments using json-strip-comments.
The Node Security CLI has proxy support by using https-proxy-agent.
To configure the proxy set the proxy key in your
.nsprc file. This can be put in the root of your project or in your home directory.
{
"proxy": "http://127.0.0.1:8080"
}
The CLI tool will also automatically detect your proxy if it is exported to the environment as
HTTP_PROXY or
HTTPS_PROXY.
Run
nsp gather to save
advisories.json locally, then
nsp check --offline or
nsp check --offline --advisories /path/to/advisories.json
codeclimate-nodesecurity is a Code Climate engine that wraps the Node Security CLI. You can run it on your command line using the Code Climate CLI, or Code Climate's hosted analysis platform.
Note that this engine only works if your code has a
npm-shrinkwrap.json or
package-lock.json file committed.
First, build this repo with docker
git clone git@github.com:nodesecurity/nsp
cd nsp
docker build -t codeclimate/codeclimate-nodesecurity .
Install the codeclimate CLI
brew tap codeclimate/formulae
brew install codeclimate
Go into your project's directory and enable codeclimate
codeclimate init
Then edit
.codeclimate.yml to add the engine like so
---
engines:
nodesecurity:
enabled: true
exclude_paths: []
And finally run it
codeclimate analyze --dev
Should you come across data in an advisory that you feel is wrong or is a false positive please let us know at report@nodesecurity.io. We endeavor to make this process better in the future, however this is the best place to resolve these issues at the present.
Node Security (+) is brought to you by ^lift security.
