Tag: npm

Testing for node modules vulnerabilities

To make sure the codebase doesn’t get creeped in with various vulnerabilities in its node modules, one way to achieve this is by creating a Jenkins job to check on a daily basis against a continuously updated database of known vulnerabilities.

One such database is provided by the Node Security community and can be easily integrated using the Node Security Platform (nsp) node package.

Create a new Pipeline-type job with the following implementation (just the required parts, you may need to add some more pieces to fit it in):

  • root-of-project-must-have-node-modules-folder – a pre-existing job folder containing a cloned repository with its node modules folder
  • Packages Vulnerability Checker – the name of this job (will be created once the job is run)
#!groovy

pipeline {
   stages {
      stage ("Check for vulnerability") {
         steps {
            script {
               def vulStatus

               // Check dashboard node modules
               sh '''
                  cd ../root-of-project-must-have-node-modules-folder
                  nsp check > "../Packages Vulnerability Checker/test-results.txt"
                  nsp check
               '''

               vulStatus = readFile('test-results.txt').trim()
               if (vulStatus != "(+) No known vulnerabilities found") {
                  slackSend (
                     color: '#F01717',
                     message: "@channel $JOB_NAME: <$BUILD_URL|Build #$BUILD_NUMBER> vulnerabilities found in Dashboard node modules. Check build logs."
                  )
               } 

               // additional folders to check...    
            }
         }
      }
   }
}

Using multiple mocha reporters

Mocha, the “simple, flexible and fun” JavaScript test framework provides several built-in reporters. By default you can only use 1 but there may be situations where you want to use several, for example you’d like the test report to be both visible in the build log and also available in XML form ala JUnit. Luckily, you can combine these.

To do this:

  1. Install the following npm packages in your project:
    • mocha
    • mocha-junit-reporter
    • mocha-multi-reporters
  2. Create a config folder with a mocha-config.json file in it: 
    {
 "reporterEnabled": "list,mocha-junit-reporter",
 "mochaJunitReporterReporterOptions": {
     "mochaFile": "testResults/results.xml"
 }
}

    list is one of the built-in reporters in mocha. mochaFile is where the test results will be generated into (if the file/folder does not exist, it will be).

  3. In your npm test command (or if using a custom command, e.g. npm run unit-tests) mention the following, e.g.:

    "scripts": { 
 "test": "mocha --recursive --reporter mocha-multi-reporters --reporter-options configFile=config/mocha-config.json"
}

    Note that by default mocha will look for a test folder at the root of the project. If you have a folder named differently or want mocha to look at a specific folder, be sure to state this explicitly: mocha test/unit-tests.