How to check for only high vulnerabilities when using "npm audit"?

When you I execute npm install using new npm 6 i got a messages that tell me I have some vulnerabilities :

[!] 75 vulnerabilities found [4867 packages audited]

Severity: 66 Low | 4 Moderate | 5 High

Run npm audit for more detail

I ran npm audit but got a truncated list of vulnerabilities.

How I can check for only High vulnerabilities list ?

Thanks

33690 次浏览
小开

Not the answer you are looking for, but it will do the same:

npm audit | grep -B 1 -A 10 High
小开

This package might be what you are looking for:

https://www.npmjs.com/package/audit-filter

It lets you filter by advisory number, which is better than filtering by level. 

$ cat .nsprc
{
"exceptions": [
"https://npmjs.com/advisories/532",
"https://npmjs.com/advisories/577"
]
}

Couple that with npm config for audit level and you're golden.

小开

Just to count the High(s):

npm audit | grep 'High' | wc -l | rev
小开

This one worked for me:

Show High Only

npm audit | grep -E "(High)" -B3 -A10

Show both Critical and High Issues

npm audit | grep -E "(High | Critical)" -B3 -A10

Look at the issue discussion where this solution is proposed.

小开

If your are looking to do it in Powershell, just use the following command (Adapted from @stayingcool's answer):

Show High Only

npm audit | Select-String -Pattern "High" -Context 0,10

Show both High and Critical

npm audit | Select-String -Pattern "(High | Critical)" -Context 0,10
小开

Edit: I recommend this (better) answer: https://stackoverflow.com/a/58056454/88111

It's not as pretty, but you can do:

npm audit --parseable | grep high

With one additional downside being any package/issue metadata containing "high" will also be printed.

小开

The --audit-level=high flag doesn't change the output of npm audit.

I'm sending this to html for reporting purposes, so looking to clean it up further:

npm audit | grep -E "(High | Critical)" -B3 -A11 --color=always | grep -E '┌|│|├|└' --color=never

But this will lose the title, and the 'found vulnerabilities' at the bottom. I found it simplest to just run npm audit a couple times and get the bits I need appended to a file.

Ended up going with something like this:

npm audit | grep '===' --color=never > temp.txt
npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt
npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt
cat temp.txt

Or as a catchy one liner (lol) that also removes the temp.txt file:

npm audit | grep '=== npm audit' --color=never > temp.txt; npm audit | grep -E "(High | Critical)" -B3 -A11 --color=never | grep -E '┌|│|├|└' --color=never >> temp.txt; npm audit | grep -E "(found|scanned packages)" --color=never >> temp.txt; cat temp.txt; rm temp.txt;

The line is ugly but is working well across a bunch of different repos, provided you only need the output in the terminal.

When outputting to a file, npm audit includes ansi color codes, that can't be turned off. And this is a problem for my reports! Sed can be used to remove them:

sed -i '' $'s,\x1b\\[[0-9;]*[a-zA-Z],,g' temp.txt
小开

Put this line into your audit scripts:

"audit": "level=$(npm audit --parseable | grep -E 'high|critical' | wc -l | rev); [ $level == 0 ] && exit 0"

This code does check the output of npm audit. If there are no high or critical vulnerabilities the process will not exit with error.


提交答案