Merge pull request #778 from coinbase/yarn-auto-fix-v2

YarnAutoFix using yarn-audit-fix
coinbase · Jan 4, 2023 · b3f77c5 · b3f77c5
2 parents 1b823a4 + a2fec85
commit b3f77c5
Show file tree

Hide file tree

Showing 9 changed files with 1,829 additions and 166 deletions.
diff --git a/build/package.json b/build/package.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
-    "@yarnpkg/lockfile": "^1.0.1"
+    "@yarnpkg/lockfile": "^1.0.1",
+    "yarn-audit-fix": "9.3.7"
   }
 }
diff --git a/lib/salus/auto_fix/yarn_audit_v2.rb b/lib/salus/auto_fix/yarn_audit_v2.rb
@@ -0,0 +1,18 @@
+require 'uri'
+require 'salus/yarn_formatter'
+require 'salus/auto_fix/base'
+
+module Salus::Autofix
+  class YarnAuditV2 < Base
+    def initialize(path_to_repo)
+      @path_to_repo = path_to_repo
+    end
+
+    def run_auto_fix
+      shell_return = run_shell("npx yarn-audit-fix", chdir: @path_to_repo)
+      return true if shell_return.stdout.include?("success Saved lockfile.")
+
+      false
+    end
+  end
+end
diff --git a/lib/salus/report.rb b/lib/salus/report.rb
@@ -270,6 +270,17 @@ def to_cyclonedx(config = {})
       bugsnag_notify(e.class.to_s + " " + e.message + "\nBuild Info:" + @builds.to_s)
     end
 
+    def to_auto_fix
+      auto_fixes = {}
+      file_names = ["yarn.lock", "package.json"]
+      file_names.each do |file_name|
+        if File.exist?("/home/repo/#{file_name}")
+          auto_fixes[file_name] = File.read("/home/repo/#{file_name}")
+        end
+      end
+      JSON.pretty_generate(auto_fixes)
+    end
+
     def publish_report(directive)
       # First create the string for the report.
       uri = directive['uri']
@@ -283,6 +294,7 @@ def publish_report(directive)
                       when 'sarif_diff' then to_sarif_diff
                       when 'sarif_diff_full' then to_full_sarif_diff
                       when 'cyclonedx-json' then to_cyclonedx(directive['cyclonedx_options'] || {})
+                      when 'auto_fix' then to_auto_fix
                       else
                         raise ExportReportError, "unknown report format #{directive['format']}"
                       end
@@ -405,9 +417,13 @@ def report_body(config)
                to_full_sarif_diff
              when 'cyclonedx-json'
                to_cyclonedx(config['cyclonedx_options'] || {})
+             when 'auto_fix'
+               to_auto_fix
              end
 
-      if %w[json sarif sarif_diff sarif_diff_full cyclonedx-json].include?(config['format'])
+      if %w[json sarif sarif_diff sarif_diff_full cyclonedx-json auto_fix].include?(
+        config['format']
+      )
         body = JSON.parse(body)
         return JSON.pretty_generate(report_body_hash(config, body))
       end

diff --git a/lib/salus/scanners/yarn_audit.rb b/lib/salus/scanners/yarn_audit.rb
@@ -2,6 +2,7 @@
 require 'salus/scanners/node_audit'
 require 'salus/semver'
 require 'salus/auto_fix/yarn_audit_v1'
+require 'salus/auto_fix/yarn_audit_v2'
 
 # Yarn Audit scanner integration. Flags known malicious or vulnerable
 # dependencies in javascript projects that are packaged with yarn.
@@ -130,13 +131,9 @@ def handle_legacy_yarn_audit
 
       auto_fix = @config.fetch("auto_fix", false)
       if auto_fix
-        v1_autofixer = Salus::Autofix::YarnAuditV1.new(@repository.path_to_repo)
-        v1_autofixer.run_auto_fix(
-          generate_fix_feed,
-          @repository.path_to_repo,
-          @repository.package_json,
-          @repository.yarn_lock
-        )
+        auto_fix_v2 = Salus::Autofix::YarnAuditV2.new(@repository.path_to_repo)
+        auto_fix_v2.run_auto_fix
+        run_shell(YARN_COMMAND)
       end
 
       vulns = combine_vulns(vulns)

diff --git a/spec/fixtures/yarn_audit/auto-fix/index.js b/spec/fixtures/yarn_audit/auto-fix/index.js
@@ -0,0 +1,14 @@
+/*
+ * Math functions on shapes
+ */
+
+'use strict';
+
+// For package depenency demonstration purposes only
+var multiply = require('lodash/multiply');
+
+module.exports = {
+  area_rectangle: function(width, height) {
+    return multiply(height, width);
+  }
+}
diff --git a/spec/fixtures/yarn_audit/auto-fix/package.json b/spec/fixtures/yarn_audit/auto-fix/package.json
@@ -0,0 +1,24 @@
+{
+    "name": "example-yarn-package",
+    "version": "1.0.0",
+    "description": "An example package to demonstrate Yarn",
+    "main": "index.js",
+    "repository": {
+      "url": "github.com/yarnpkg/example-yarn-package",
+      "type": "git"
+    },
+    "scripts": {
+      "test": "jest"
+    },
+    "author": "Yarn Contributors",
+    "license": "BSD-2-Clause",
+    "dependencies": {
+      "lodash": "^4.16.2"
+    },
+    "devDependencies": {
+      "jest-cli": "15.1.1"
+    },
+    "jest": {
+      "testEnvironment": "node"
+    }
+  }