@quasar/quasar-app-extension-testing-security-antivulndeprecated

A Quasar App Extension for checking that no packages are vulnerability threats

Usage no npm install needed!

<script type="module">
  import quasarQuasarAppExtensionTestingSecurityAntivuln from 'https://cdn.skypack.dev/@quasar/quasar-app-extension-testing-security-antivuln';
</script>

README

@quasar/testing-security-antivuln

This testing app extension will scan your installed dependencies (the entire chain) and compare them with the list of advisories found here: https://www.npmjs.com/advisories warning you if any are unsafe.

Install

Installation should be done via the @quasar/testing mono repo using

quasar ext add @quasar/testing

Then selecting the Security Anti-Vulnerability harness. If you do need to install this application extension on independantly you can use:

quasar ext add @quasar/testing-security-antivuln

Quasar CLI will retrieve it from NPM and install the extension.

Prompts

This app extension will prompt for 3 options:

  • Scan when running quasar dev - Enabling this will cause the scan to run when you run quasar dev
  • Scan when running quasar build - Enabling this will cause the scan to run when you run quasar build
  • Strict Mode - If enabled and if vulnerabilities are found, script execution will stop when runOnDev and / or runOnBuild are true.

Uninstall

If installed via @quasar/testing then just run the install again and don't select the Security Anti-Vulnerability harness.

If installed direct, run:

quasar ext remove @quasar/testing-security-antivuln

Running

quasar test --security antivuln

Testing

If you would like to test the output / how this works. You can add any package that exists in the NPM Advisory List for instance:

yarn add ids-enterprise@4.18.0

When you've added this package to your project, run:

quasar test --security antivuln

And you will see output similar to (albeit with a little more color):

Security Alert: [high] [ids-enterprise]
  Type: Cross-Site Scripting
  Advisory Version: <4.18.2
  Current version: 4.18.0
  Recommendation: Upgrade to version 4.18.2 or later
  Url: https://npmjs.com/advisories/957
  Detail: Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.
IMPORTANT

Remember to remove the unsafe package you've added for testing.

Output

Once the test has run, output will be saved to

your-application-folder/test/audits/security/antivuln/bad.packages.result.json

The output will be similar to (or exactly the same if you're following the Testing section above):

{
  "status": "fail",
  "runAt": 1560426465,
  "totalAdvisories": 1,
  "advisories": [
    {
      "name": "ids-enterprise",
      "version": "<4.18.2",
      "title": "Cross-Site Scripting",
      "recommendation": "Upgrade to version 4.18.2 or later",
      "severity": "high",
      "overview": "Versions of `ids-enterprise` prior to 4.18.2 are vulnerable to Cross-Site Scripting (XSS). The `modal` component fails to sanitize input to the `title` attribute, which may allow attackers to execute arbitrary JavaScript.",
      "url": "https://npmjs.com/advisories/957",
      "currentVersion": "4.18.0"
    }
  ]
}

Possible Roadmap

  • Fix option
  • HTML bad package browser.

Patreon

If you like (and use) this App Extension, please consider becoming a Quasar Patreon.