Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How npm audit works?

Tags:

security

npm

npm-audit

I'm trying to understand how npm audit command works.

By which algorithm it defines that there is a problem

and the most important one how it differentiates the level low / moderate / high / critical

enter image description here

like image 720
Stepan Suvorov Avatar asked Apr 08 '19 08:04

Stepan Suvorov

2 Answers

There is no algorithm, only people.

What npm audit does is look at what package you are using and what version and compare it to npm's vulnerability database. Here's the web interface to that database.

If you click on any of the "problems" you will see 3 pieces of information: description of the problem, the recommended fix and a link to where the problem was reported.

As to how npm determines the severity of the problem, it does not. People determine the severity of the problems., and almost all of it is done by volunteers. This is one of the promises of open source: with enough eyes looking at your non-hidden code, bugs can be spotted.

like image 190
slebetman Avatar answered Oct 09 '22 22:10

slebetman

npm audit is a security module use to find the vulnerabilities of npm packages, The vulnerability database are available on the website : https://www.npmjs.com/advisories

The vulnerability format is the following : 

    {
  "id": <vulnerability id>,
  "created_at": <creation date>,
  "updated_at": <update date>,
  "title": <vulnerability title>,
  "author": {
    "name": <contributor name>,
    "website": <contributor website>,
    "username": <contributor username>
  },
  "module_name": <product name>,
  "publish_date": <publication date>,
  "cves": [
    <cve name (if existing)>
  ],
  "vulnerable_versions": <vulnerable version(s)>,
  "patched_versions": <fix version(s)>,
  "overview": <vulnerability description>,
  "recommendation": <vendor advisory>,
  "references": [
    <source list>
  ],
  "cvss_vector": <CVSS vector in format AV:x/AC:x/PR:x/UI:x/S:x/C:x/I:x/A:x>,
  "cvss_score": <criticity score (between 0 and 10)>,
  "coordinating_vendor": <editor information>
}

The npm audit will match the package information with all vulnerabilities and return the matching vulnerabilities.

About the scoring, The CVSS scoring are used, you can find the documentation here : https://www.first.org/cvss/specification-document

like image 2
Laurent Graff Avatar answered Oct 10 '22 00:10

Laurent Graff
Sign in to Comment

Related questions

Is this an attempt to break my ASP.Net site's security?
How can I scan/fuzz my code for vulnerabilites?
How to prevent a specific directory from running Php, Html, and Javascript languages?
Deciphering this XSS attack [closed]
How to protect a website from DoS attacks
Form without CSRF token: what are the risks
$('iframe').css('visibility','hidden') not working in Google chrome
Is there a way to stop Rails' built-in server from listening on 0.0.0.0 by default?
Dynamic Analysis of PHP Web Applications to identify work flow deviations
Use SHA-512 and salt to hash an MD5 hashed password?
How to view NSString defined in a given iOS ipa file
Security concerns about CORS
SecurityException: Not allowed to start service Intent { act=com.google.android.c2dm.intent.REGISTER pkg=com.google.android.gms (has extras) }
What is the vulnerability ALLOWED_HOSTS is defending against?
Cross Site History Manipulation resolution
How to access to my own API from my web application securely?
Error when enabling data encryption using local key MONGODB
configuring Content-Security-Policy in tomcat
iOS 10: Apple transport security "exception domains" no longer working
Concurrent Ajax requests in Chrome

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!