Merge pull request #540 from Fryguy/add_security_test

Add npm audit security tests

Author: jrafanie

.github/workflows/ci.yaml

@@ -22,6 +22,8 @@ jobs:
       run: bin/setup
     - name: Run tests
       run: bin/ci
+    - name: Run security tests
+      run: yarn test:security
     - name: Report code coverage
       if: "${{ github.ref == 'refs/heads/master' }}"
       continue-on-error: true

.yarnrc.yml

@@ -4,4 +4,16 @@ enableGlobalCache: true
 
 nodeLinker: node-modules
 
+npmAuditExcludePackages:
+  - angular
+  # pending | high     | GHSA-4w4v-5hc9-xrr2 | angular >=1.3.0 <=1.8.3      | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | moderate | GHSA-2qqx-w9hr-q5gx | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | moderate | GHSA-2vrf-hf26-jrp5 | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | moderate | GHSA-m2h2-264f-f486 | angular >=1.7.0              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | moderate | GHSA-prc3-vjfx-vhm9 | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | moderate | GHSA-qwqh-hm9m-p5hr | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | low      | GHSA-j58c-ww9w-pwp5 | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | low      | GHSA-m9gf-397r-hwpg | angular >=1.3.0-rc.4 <=1.8.3 | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+  # pending | low      | GHSA-mqm9-c95h-x2p6 | angular <=1.8.3              | 1.8.3 brought in by angular-bootstrap-switch@npm:0.5.2
+
 yarnPath: .yarn/releases/yarn-4.11.0.cjs

Rakefile

@@ -0,0 +1,14 @@
+# Import the rake tasks from manageiq core.
+#
+# HACK: Since we don't have a proper symlink relationship to core like we do
+#   with other plugins, we have to resort to assuming a sibling directory
+#   similar to what we do in config/webpack.dev.js.
+namespace :app do
+  load File.join(__dir__, "../manageiq/lib/tasks/test_security.rake")
+end
+
+desc "Rebuild yarn audit pending list"
+task :rebuild_yarn_audit_pending do
+  ENV["ENGINE_ROOT"] = __dir__
+  Rake::Task["app:test:security:rebuild_yarn_audit_pending"].invoke
+end

package.json

@@ -12,7 +12,8 @@
     "gettext:extract": "yarn run build && angular-gettext-cli --files './+(src|dist)/**/+(*.html|ui-components.js)' --dest './locale/ui-components.pot' --marker-names '__,N_' && yarn run gettext:validate",
     "gettext:validate": "node scripts/validate-gettext-catalog.js",
     "install-vendor": "webpack --config webpack.vendor.config.js",
-    "build-docs": "jsdoc -c jsdoc-conf.json"
+    "build-docs": "jsdoc -c jsdoc-conf.json",
+    "test:security": "yarn npm audit --recursive --no-deprecations --environment production"
   },
   "repository": {
     "type": "git",