diff --git a/npm-audit-dev.sh b/npm-audit-dev.sh new file mode 100755 index 0000000..e9a5d29 --- /dev/null +++ b/npm-audit-dev.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +CI_COMMIT_REF_NAME=$1 +PROJECT_DOMAIN=$2 +CI_COMMIT_SHORT_SHA=$3 + +if [[ "$OSTYPE" == "linux-gnu"* ]]; then + COMMAND="jq-linux64" +elif [[ "$OSTYPE" == "darwin"* ]]; then + COMMAND="jq-osx-amd64" +fi + +GITHUB="https://github.com/stedolan/jq/releases/download/jq-1.6/" + +print_vulnerabilities () { + + echo "Report" + npm audit +} + +# print_vulnerabilities () { +# echo "Summary " +# ./${COMMAND} .metadata.vulnerabilities < ./audit_result.json +# echo "Report" +# ./${COMMAND} < ./audit_result.json +# } + +if [ ! -f "$COMMAND" ]; then + wget -q $GITHUB$COMMAND +fi + + +chmod +x $COMMAND + +#npm i --package-lock-only +VERSION="$(npm -v | cut -c1)" +npm audit --json > audit_result.json + +#INFO_VUL="$(./${COMMAND} .metadata.vulnerabilities.info < ./audit_result.json)" +#LOW_VUL="$(./${COMMAND} .metadata.vulnerabilities.low < ./audit_result.json)" +MODERATE_VUL="$(./${COMMAND} .metadata.vulnerabilities.moderate < ./audit_result.json)" +HIGH_VUL="$(./${COMMAND} .metadata.vulnerabilities.high < ./audit_result.json)" +CRITICAL_VUL="$(./${COMMAND} .metadata.vulnerabilities.critical < ./audit_result.json)" + +SUMMARY_VUL="$(./${COMMAND} .metadata.vulnerabilities < ./audit_result.json)" + + +echo "Summary " +./${COMMAND} .metadata.vulnerabilities < ./audit_result.json + + +# if [ "$INFO_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +# if [ "$LOW_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +if [[ $CI_COMMIT_REF_NAME =~ ^[0-9]*\.[0-9]*\.[0-9]*$|^master$|^develop$ ]] +then + curl -L -X POST https://chief.nano.rocks/api/report -F "report=@audit_result.json" -F "metadata={\"type\":\"npm-dev\",\"version\":\"$VERSION\",\"project\":\"$PROJECT_DOMAIN\",\"ref\":\"$CI_COMMIT_REF_NAME\", \"sha\":\"$CI_COMMIT_SHORT_SHA\", \"job_url\":\"$CI_JOB_URL\"}" +fi + +# if [ "$MODERATE_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +if [ "$HIGH_VUL" -ne "0" ] +then + print_vulnerabilities + exit 1 +fi + +if [ "$CRITICAL_VUL" -ne "0" ] +then + print_vulnerabilities + exit 1 +fi diff --git a/npm-audit-prod.sh b/npm-audit-prod.sh new file mode 100755 index 0000000..d1920d5 --- /dev/null +++ b/npm-audit-prod.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +CI_COMMIT_REF_NAME=$1 +PROJECT_DOMAIN=$2 +CI_COMMIT_SHORT_SHA=$3 + +if [[ "$OSTYPE" == "linux-gnu"* ]]; then + COMMAND="jq-linux64" +elif [[ "$OSTYPE" == "darwin"* ]]; then + COMMAND="jq-osx-amd64" +fi + +GITHUB="https://github.com/stedolan/jq/releases/download/jq-1.6/" + +print_vulnerabilities () { + + echo "Report" + npm audit --production +} + +# print_vulnerabilities () { +# echo "Summary " +# ./${COMMAND} .metadata.vulnerabilities < ./audit_result.json +# echo "Report" +# ./${COMMAND} < ./audit_result.json +# } + +if [ ! -f "$COMMAND" ]; then + wget -q $GITHUB$COMMAND +fi + + +chmod +x $COMMAND + +#npm i --package-lock-only +VERSION="$(npm -v | cut -c1)" +npm audit --production --json > audit_result.json + +#INFO_VUL="$(./${COMMAND} .metadata.vulnerabilities.info < ./audit_result.json)" +#LOW_VUL="$(./${COMMAND} .metadata.vulnerabilities.low < ./audit_result.json)" +MODERATE_VUL="$(./${COMMAND} .metadata.vulnerabilities.moderate < ./audit_result.json)" +HIGH_VUL="$(./${COMMAND} .metadata.vulnerabilities.high < ./audit_result.json)" +CRITICAL_VUL="$(./${COMMAND} .metadata.vulnerabilities.critical < ./audit_result.json)" + +SUMMARY_VUL="$(./${COMMAND} .metadata.vulnerabilities < ./audit_result.json)" + + +echo "Summary " +./${COMMAND} .metadata.vulnerabilities < ./audit_result.json + + +# if [ "$INFO_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +# if [ "$LOW_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +if [[ $CI_COMMIT_REF_NAME =~ ^[0-9]*\.[0-9]*\.[0-9]*$|^master$|^develop$ ]] +then + curl -L -X POST https://chief.nano.rocks/api/report -F "report=@audit_result.json" -F "metadata={\"type\":\"npm\",\"version\":\"$VERSION\",\"project\":\"$PROJECT_DOMAIN\",\"ref\":\"$CI_COMMIT_REF_NAME\", \"sha\":\"$CI_COMMIT_SHORT_SHA\", \"job_url\":\"$CI_JOB_URL\"}" +fi + +# if [ "$MODERATE_VUL" -ne "0" ] +# then +# print_vulnerabilities +# exit 1 +# fi + +if [ "$HIGH_VUL" -ne "0" ] +then + print_vulnerabilities + exit 1 +fi + +if [ "$CRITICAL_VUL" -ne "0" ] +then + print_vulnerabilities + exit 1 +fi diff --git a/npm-audit-step.sh b/npm-audit-step.sh deleted file mode 100644 index d1e412c..0000000 --- a/npm-audit-step.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -print_vulnerabilities () { - ./jq-linux64 .metadata.vulnerabilities < ./audit_result.json - cat ./audit_result.json -} - -wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -chmod +x jq-linux64 -npm i --package-lock-only -npm audit --json > audit_result.json - -INFO_VUL="$(./jq-linux64 .metadata.vulnerabilities.info < ./audit_result.json)" -LOW_VUL="$(./jq-linux64 .metadata.vulnerabilities.low < ./audit_result.json)" -MODERATE_VUL="$(./jq-linux64 .metadata.vulnerabilities.moderate < ./audit_result.json)" -HIGH_VUL="$(./jq-linux64 .metadata.vulnerabilities.high < ./audit_result.json)" -CRITICAL_VUL="$(./jq-linux64 .metadata.vulnerabilities.critical < ./audit_result.json)" - -if [ "$INFO_VUL" -ne "0" ] -then - print_vulnerabilities - exit 1 -fi - -if [ "$LOW_VUL" -ne "0" ] -then - print_vulnerabilities - exit 1 -fi - -if [ "$MODERATE_VUL" -ne "0" ] -then - print_vulnerabilities - exit 1 -fi - -if [ "$HIGH_VUL" -ne "0" ] -then - print_vulnerabilities - exit 1 -fi - -if [ "$CRITICAL_VUL" -ne "0" ] -then - print_vulnerabilities - exit 1 -fi