Finds CVEs in Node modules included as dependencies in a project.
NodeAudit
is a superclass scanner for YarnAudit
(executes yarn audit
) and NPMAudit
(executes npm audit
).
When a CVE is present in a dependency, the best course of action is to upgrade the dependency to a patched version. Conveniently, you can run npm audit fix
which will try to find a compatible and patched version of the module. If you're using yarn
you will have to try upgrading manually.
This might not be possible if there is no patched version available yet or if the upgraded version is not compatible with your project. Provided that the vulnerability is not relevant to the way in which you use this dependency, you might want Salus to ignore this particular CVE. Use the following configuration to achieve this.
scanner_configs:
NodeAudit:
exceptions:
- advisory_id: 39
changed_by: security-team
notes: Currently no patch exists and determined that this vulnerability is not exploitable.
expiration: "2021-04-27"
NOTE
To allow for backwards compatibility and easy switching between NPM and Yarn, Salus will merge configuration for NodeAudit
, NPMAudit
and YarnAudit
into a single object to configure the NodeAudit
scanner.