Update NPMAudit version

[iondrimba]

Hi there, currently I'm trying to update the node version of a project to verion 15.14.0 + npm 7.7.6, but the NPMAudit still runs on version 6.14.8. ==== NPMAudit v6.14.8: FAILED in 2.13s

I'm using the latest image coinbase/salus:latest

Is there a way to force an update?

[ghbren]

Hi, where did you make this update?

[iondrimba]

I updated only node+npm, I'm getting this error constantly (don't think npm is unreacheable)
I updated locally and on my CI with a new circleci/node:15.14.0-browsers

 [
    {
      "message": "Unhandled exception running NPMAudit: RuntimeError: `npm audit --json` failed unex
  pectedly (error code ENOAUDIT):\n```\nYour configured registry (https://registry.npmjs.org/) may n
  ot support audit requests, or the audit endpoint may be temporarily unavailable.\n```",
      "error_class": "RuntimeError",
      "backtrace": [
        "/home/lib/salus/scanners/npm_audit.rb:36:in `scan_for_cves'",
        "/home/lib/salus/scanners/node_audit.rb:32:in `block in run'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `chdir'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `run'",
        "/home/lib/salus/scanners/base.rb:74:in `block in run!'"
      ]
    }
  ]

[iondrimba]

Locally without the CI scan npm audit works ok

[iondrimba]

docker run --rm -t -v $(pwd):/home/repo coinbase/salus
Unable to find image 'coinbase/salus:latest' locally
latest: Pulling from coinbase/salus

a628af6f: Pulling fs layer 
fb547ecd: Pulling fs layer 
13188506: Pulling fs layer 
28d87672: Pulling fs layer 
c0f445c0: Pulling fs layer 
64fac168: Pulling fs layer 
11aa0557: Pulling fs layer 
872d39f3: Pulling fs layer 
8483abde: Pulling fs layer 
35e4f278: Pulling fs layer 
98179508: Pulling fs layer 
3a1e2114: Pulling fs layer 
1bf2815c: Pulling fs layer 
affe8cef: Pulling fs layer 
2e4822b0: Pulling fs layer 
fd8ff458: Pulling fs layer 
ac967f5d: Pulling fs layer 
b700ef54: Pulling fs layer 
f2536bee: Pulling fs layer 
7ae63c6d: Pulling fs layer 
e1e98f98: Pulling fs layer 
b0719d4c: Pulling fs layer 
b38776ee: Pulling fs layer 
Digest: sha256:###### 
Status: Downloaded newer image for coinbase/salus:latest
[INFORMATIONAL: 2021-04-15 20:05:22 +0000]: Salus is running.
==== Salus Scan v2.11.5

==== NPMAudit v6.14.8: FAILED in 1.99s

 ~~ Errors:

  [
    {
      "message": "Unhandled exception running NPMAudit: RuntimeError: `npm audit --json` failed unex
  pectedly (error code ENOAUDIT):\n```\nYour configured registry (https://registry.npmjs.org/) may n
  ot support audit requests, or the audit endpoint may be temporarily unavailable.\n```",
      "error_class": "RuntimeError",
      "backtrace": [
        "/home/lib/salus/scanners/npm_audit.rb:36:in `scan_for_cves'",
        "/home/lib/salus/scanners/node_audit.rb:32:in `block in run'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `chdir'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `run'",
        "/home/lib/salus/scanners/base.rb:74:in `block in run!'"
      ]
    }
  ]

==== PatternSearch v0.9.0: PASSED in 0.0s

==== RepoNotEmpty: PASSED in 0.0s

==== Semgrep v0.36.0: PASSED in 0.0s

==== ReportNodeModules: PASSED in 0.08s

==== Salus Configuration Files Used:



==== Salus Errors

  [
    {
      "message": "Unhandled exception running NPMAudit: RuntimeError: `npm audit --json` failed unex
  pectedly (error code ENOAUDIT):\n```\nYour configured registry (https://registry.npmjs.org/) may n
  ot support audit requests, or the audit endpoint may be temporarily unavailable.\n```",
      "error_class": "RuntimeError",
      "backtrace": [
        "/home/lib/salus/scanners/npm_audit.rb:36:in `scan_for_cves'",
        "/home/lib/salus/scanners/node_audit.rb:32:in `block in run'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `chdir'",
        "/home/lib/salus/scanners/node_audit.rb:31:in `run'",
        "/home/lib/salus/scanners/base.rb:74:in `block in run!'"
      ]
    }
  ]


Overall scan status: FAILED in 3.11s

┌───────────────────┬──────────────┬──────────┬────────┐
│ Scanner           │ Running Time │ Required │ Passed │
├───────────────────┼──────────────┼──────────┼────────┤
│ NPMAudit          │ 1.99s        │ yes      │ no     │
│ PatternSearch     │ 0.0s         │ yes      │ yes    │
│ RepoNotEmpty      │ 0.0s         │ yes      │ yes    │
│ Semgrep           │ 0.0s         │ yes      │ yes    │
│ ReportNodeModules │ 0.08s        │ no       │ yes    │
└───────────────────┴──────────────┴──────────┴────────┘

[ghbren]

Can you paste the code where you updated node+npm?
Also, please let me know the filename.

[iondrimba]

For my build step on circle ci

  build:
    docker:
      - image: cimg/node:15.14.0-browsers
        environment:

package json

  "engines": {
    "node": "15.14.0",
    "npm": "7.7.6"
  },

salus step

  security_check:
    machine:
      enabled: true
      docker_layer_caching: true
    steps:
      - checkout
      - run:
          name: Salus scanners
          command: docker run --rm -t -v $(pwd):/home/repo coinbase/salus

[iondrimba]

I noticed that salus docker is using these versions:

ENV NODE_VERSION 13.8.0
ENV NPM_VERSION 6.14.8

This may be the cause of breaking the audit. There are big changes from npm 6 to 7 and node 13 to 15

[iondrimba]

Can we somehow change these ENVs something like docker run --rm --env NODE_VERSION=15.14.0 --env NPM_VERSION=7.7.6 -t -v $(pwd):/home/repo coinbase/salus?

[iondrimba]

Running locally with the same node version as the salus image I get the same error

$ npm audit
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/ion/.npm/_logs/2021-04-16T16_02_30_354Z-debug.log

I assume you cant scan a node 15 project with a node 13 version

[ghbren]

I noticed that salus docker is using these versions:

ENV NODE_VERSION 13.8.0
ENV NPM_VERSION 6.14.8

This may be the cause of breaking the audit. There are big changes from npm 6 to 7 and node 13 to 15

Yeah, that may be why. We will look into upgrading NPM/node, but right now I'm not sure when we will get there.

[ghbren]

Running locally with the same node version as the salus image I get the same error

$ npm audit
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/ion/.npm/_logs/2021-04-16T16_02_30_354Z-debug.log

I assume you cant scan a node 15 project with a node 13 version

[ghbren]

Running locally with the same node version as the salus image I get the same error

$ npm audit
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! A complete log of this run can be found in:
npm ERR!     /home/ion/.npm/_logs/2021-04-16T16_02_30_354Z-debug.log

I assume you cant scan a node 15 project with a node 13 version

Looks like that is true, because the command doesn't involve salus.