diff options
author | Philip Harrison <philip@mailharrison.com> | 2022-07-11 20:49:21 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-11 20:49:21 +0300 |
commit | f032e1c0ada062e2139c8f057b24abb1ce2e4a33 (patch) | |
tree | f2082b192509a9abee0f66bc3b1d80b46a5a1378 /tap-snapshots/test/lib | |
parent | ef8d2edd7da993f4086c85089952cd45834ac78b (diff) |
feat: add npm audit signatures (#4827)
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
Diffstat (limited to 'tap-snapshots/test/lib')
-rw-r--r-- | tap-snapshots/test/lib/commands/audit.js.test.cjs | 227 | ||||
-rw-r--r-- | tap-snapshots/test/lib/load-all-commands.js.test.cjs | 2 | ||||
-rw-r--r-- | tap-snapshots/test/lib/npm.js.test.cjs | 2 |
3 files changed, 229 insertions, 2 deletions
diff --git a/tap-snapshots/test/lib/commands/audit.js.test.cjs b/tap-snapshots/test/lib/commands/audit.js.test.cjs index c3680933e..3e7658c14 100644 --- a/tap-snapshots/test/lib/commands/audit.js.test.cjs +++ b/tap-snapshots/test/lib/commands/audit.js.test.cjs @@ -41,6 +41,233 @@ added 1 package, and audited 2 packages in xxx found 0 vulnerabilities ` +exports[`test/lib/commands/audit.js TAP audit signatures ignores optional dependencies > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures json output with invalid and missing signatures > must match snapshot 1`] = ` +{ + "invalid": [ + { + "name": "kms-demo", + "version": "1.0.0", + "location": "node_modules/kms-demo", + "resolved": "https://registry.npmjs.org/kms-demo/-/kms-demo-1.0.0.tgz", + "integrity": "sha512-QqZ7VJ/8xPkS9s2IWB7Shj3qTJdcRyeXKbPQnsZjsPEwvutGv0EGeVchPcauoiDFJlGbZMFq5GDCurAGNSghJQ==", + "signature": "bogus", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ], + "missing": [ + { + "name": "async", + "version": "1.1.1", + "location": "node_modules/async", + "resolved": "https://registry.npmjs.org/async/-/async-1.1.1.tgz" + } + ] +} +` + +exports[`test/lib/commands/audit.js TAP audit signatures json output with invalid signatures > must match snapshot 1`] = ` +{ + "invalid": [ + { + "name": "kms-demo", + "version": "1.0.0", + "location": "node_modules/kms-demo", + "resolved": "https://registry.npmjs.org/kms-demo/-/kms-demo-1.0.0.tgz", + "integrity": "sha512-QqZ7VJ/8xPkS9s2IWB7Shj3qTJdcRyeXKbPQnsZjsPEwvutGv0EGeVchPcauoiDFJlGbZMFq5GDCurAGNSghJQ==", + "signature": "bogus", + "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA" + } + ], + "missing": [] +} +` + +exports[`test/lib/commands/audit.js TAP audit signatures json output with valid signatures > must match snapshot 1`] = ` +{ + "invalid": [], + "missing": [] +} +` + +exports[`test/lib/commands/audit.js TAP audit signatures multiple registries with keys and signatures > must match snapshot 1`] = ` +audited 2 packages in xxx + +2 packages have verified registry signatures + +` + +exports[`test/lib/commands/audit.js TAP audit signatures omit dev dependencies with missing signature > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures output details about missing signatures > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a missing registry signature but the registry is providing signing keys: + +kms-demo@1.0.0 (https://registry.npmjs.org/) +` + +exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with invalid signatures errors > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has an invalid registry signature: + +@npmcli/arborist@1.0.14 (https://verdaccio-clone.org) + +Someone might have tampered with this package since it was published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with keys and missing signatures errors > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a missing registry signature but the registry is providing signing keys: + +@npmcli/arborist@1.0.14 (https://verdaccio-clone.org) +` + +exports[`test/lib/commands/audit.js TAP audit signatures third-party registry with keys and signatures > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with both invalid and missing signatures > must match snapshot 1`] = ` +audited 2 packages in xxx + +1 package has a missing registry signature but the registry is providing signing keys: + +async@1.1.1 (https://registry.npmjs.org/) + +1 package has an invalid registry signature: + +kms-demo@1.0.0 (https://registry.npmjs.org/) + +Someone might have tampered with this package since it was published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with bundled and peer deps and no signatures > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with invalid signatures > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has an invalid registry signature: + +kms-demo@1.0.0 (https://registry.npmjs.org/) + +Someone might have tampered with this package since it was published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with invalid signtaures and color output enabled > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has an [1m[31minvalid[39m[22m registry signature: + +[31mkms-demo@1.0.0[39m (https://registry.npmjs.org/) + +Someone might have tampered with this package since it was published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a missing registry signature but the registry is providing signing keys: + +kms-demo@1.0.0 (https://registry.npmjs.org/) +` + +exports[`test/lib/commands/audit.js TAP audit signatures with multiple invalid signatures > must match snapshot 1`] = ` +audited 2 packages in xxx + +2 packages have invalid registry signatures: + +async@1.1.1 (https://registry.npmjs.org/) +kms-demo@1.0.0 (https://registry.npmjs.org/) + +Someone might have tampered with these packages since they where published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with multiple missing signatures > must match snapshot 1`] = ` +audited 2 packages in xxx + +2 packages have missing registry signatures but the registry is providing signing keys: + +async@1.1.1 (https://registry.npmjs.org/) +kms-demo@1.0.0 (https://registry.npmjs.org/) +` + +exports[`test/lib/commands/audit.js TAP audit signatures with multiple valid signatures and one invalid > must match snapshot 1`] = ` +audited 3 packages in xxx + +2 packages have verified registry signatures + +1 package has an invalid registry signature: + +node-fetch@1.6.0 (https://registry.npmjs.org/) + +Someone might have tampered with this package since it was published on the registry! + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with valid and missing signatures > must match snapshot 1`] = ` +audited 2 packages in xxx + +1 package has a verified registry signature + +1 package has a missing registry signature but the registry is providing signing keys: + +async@1.1.1 (https://registry.npmjs.org/) +` + +exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures using alias > must match snapshot 1`] = ` +audited 1 package in xxx + +1 package has a verified registry signature + +` + +exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps and ignores local workspace deps > must match snapshot 1`] = ` +audited 3 packages in xxx + +3 packages have verified registry signatures + +` + +exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps when filtering by workspace name > must match snapshot 1`] = ` +audited 2 packages in xxx + +2 packages have verified registry signatures + +` + exports[`test/lib/commands/audit.js TAP fallback audit > must match snapshot 1`] = ` # npm audit report diff --git a/tap-snapshots/test/lib/load-all-commands.js.test.cjs b/tap-snapshots/test/lib/load-all-commands.js.test.cjs index 57dd61266..ef832be1b 100644 --- a/tap-snapshots/test/lib/load-all-commands.js.test.cjs +++ b/tap-snapshots/test/lib/load-all-commands.js.test.cjs @@ -44,7 +44,7 @@ exports[`test/lib/load-all-commands.js TAP load each command audit > must match Run a security audit Usage: -npm audit [fix] +npm audit [fix|signatures] Options: [--audit-level <info|low|moderate|high|critical|none>] [--dry-run] [-f|--force] diff --git a/tap-snapshots/test/lib/npm.js.test.cjs b/tap-snapshots/test/lib/npm.js.test.cjs index b287e73f7..c87e947fc 100644 --- a/tap-snapshots/test/lib/npm.js.test.cjs +++ b/tap-snapshots/test/lib/npm.js.test.cjs @@ -199,7 +199,7 @@ All commands: audit Run a security audit Usage: - npm audit [fix] + npm audit [fix|signatures] Options: [--audit-level <info|low|moderate|high|critical|none>] [--dry-run] [-f|--force] |