43 |
44 | 
45 |
46 | Node Version Audit:
47 | Source on Github
48 |
49 | 
50 |
51 |
52 | 
88 |
89 |
90 | 
95 |
96 |
97 | 
102 |
103 |
105 | Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly 106 | updated list of CVE exploits, new releases, and end of life dates. 107 |
108 |109 | Node Version Audit is not: exploit detection/mitigation, vendor-specific version 110 | tracking, a replacement for staying informed on Node.js releases and security exploits. 111 |
112 | 113 |Index
115 | 134 |Features
138 |-
139 |
- List known CVEs for a given version of Node.js 140 |
- Check either the runtime version of Node.js, or a supplied version 141 |
- Display end-of-life dates for a given version of Node.js 142 |
-
143 | Display new releases for a given version of Node.js with configurable specificity
144 | (latest/minor/patch)
145 |
-
146 |
- Patch: 16.13.0 -> 16.13.2 147 |
- Minor: 16.13.0 -> 16.14.2 148 |
- Latest: 16.13.0 -> 17.9.0 149 |
151 | - 152 | Rules automatically updated daily. Information is sourced directly from nodejs.org - you'll 153 | never be waiting on someone like me to merge a pull request before getting the latest patch 154 | information. 155 | 156 |
- Multiple interfaces: CLI (via NPM), Docker, direct code import 157 |
- 158 | Easily scriptable for use with CI/CD workflows. All Docker/CLI outputs are in JSON format to be 159 | consumed with your favorite tools - such as jq 160 | 161 |
- 162 | Configurable exit conditions. Use CLI flags like `--fail-security` to set a failure exit code if 163 | the given version of Node.js has a known CVE or is no longer supported. 164 | 165 |
- Zero dependencies 166 |
Example
171 |
172 |
173 | npx node-version-audit@latest --version=16.14.1
174 | {
175 | "auditVersion": "16.14.1",
176 | "hasVulnerabilities": true,
177 | "hasSupport": true,
178 | "supportType": "active",
179 | "isLatestPatchVersion": false,
180 | "isLatestMinorVersion": false,
181 | "isLatestVersion": false,
182 | "latestPatchVersion": "16.14.2",
183 | "latestMinorVersion": "16.14.2",
184 | "latestVersion": "17.9.0",
185 | "activeSupportEndDate": "2022-10-18T00:00:00.000Z",
186 | "supportEndDate": "2024-04-30T00:00:00.000Z",
187 | "rulesLastUpdatedDate": "2022-04-13T02:37:54.081Z",
188 | "vulnerabilities": {
189 | "CVE-2022-778": {
190 | "id": "CVE-2022-778",
191 | "baseScore": 7.5,
192 | "publishedDate": "2022-03-15T17:15:00.000Z",
193 | "lastModifiedDate": "2022-04-06T20:15:00.000Z",
194 | "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)."
195 | }
196 | }
197 | }
198 |
200 |
201 | Usage
205 | 206 |CLI
207 |208 |
Running directly with npx is the preferred and easiest way to use Node Version Audit.
209 |
210 | Execute the script, checking the run-time version of Node.js:
211 | npx node-version-audit@latest
212 |
214 | Produce an exit code if any CVEs are found or support has ended
215 | npx node-version-audit@latest --fail-security
216 |
Docker
219 |220 |
Prefer Docker? Not a problem. It is just as easy to run using Docker:
221 |
222 | Check a specific version of Node.js using Docker:
223 | docker run --rm -t lightswitch05/node-version-audit:latest --version=17.9.0
224 |
226 | Check the host's Node.js version using Docker:
227 | docker run --rm -t lightswitch05/node-version-audit:latest --version=$(node -e
229 | "console.log(process.versions.node)")
231 |
233 | Run behind an HTTPS proxy (for use on restricted networks). Requires a volume mount of a directory
234 | with your trusted cert (with .crt extension) - see
235 | update-ca-certificates
238 | for more details.
239 | docker run --rm -t -e https_proxy='https://your.proxy.server:port/' --volume
241 | /full/path/to/trusted/certs/directory:/usr/local/share/ca-certificates
242 | lightswitch05/node-version-audit:latest --version=17.9.0
244 |
Direct Invocation
247 |248 |
249 | Want to integrate with Node Version Audit? That is certainly possible. A word caution, this is a
250 | very early release. I do not have any plans for breaking changes, but I am also not committed to
251 | keeping the interface code as-is if there are new features to implement. Docker/CLI/JSON is
252 | certainly the preferred over direct invocation.
253 |
254 | const { NodeVersionAudit } = require('node-version-audit/lib/NodeVersionAudit');
260 |
255 | const nodeVersionAudit = new NodeVersionAudit('17.8.0', true);
256 | const auditResults = await nodeVersionAudit.getAllAuditResults();
257 | auditResults.supportEndDate; //-> 2022-06-01T00:00:00.000Z
258 | auditResults.hasVulnerabilities(); //-> true
259 |
JSON Rules
263 |264 |
265 | The data used to drive Node Version Audit is automatically updated on a regular basis and is hosted 266 | on GitHub pages. This is the real meat-and-potatoes of Node Version Audit, and you can consume it 267 | directly for use in other tools. If you choose to do this, please respect the project license by 268 | giving proper attribution notices. Also, I ask any implementations to read the lastUpdatedDate and 269 | fail if it has become out of date (2+ weeks). This should not happen since it is automatically 270 | updated… but we all know how fragile software is. 271 |
272 |
273 | Get the latest Node.js 17 release version directly from the rules using
274 | curl and jq:
275 |
276 | curl -s https://www.github.developerdan.com/node-version-audit/rules-v1.json | jq
277 | '.latestVersions["17"]'
278 |
279 |
Options
282 |283 |
-
284 |
- --help 285 |
- show arguments help message and exit. 286 |
- --version=VERSION 287 |
- 288 | set the Node.js Version to run against. Defaults to the runtime version. This is required when 289 | running with docker. 290 | 291 |
- --fail-security 292 |
- generate a 10 exit code if any CVEs are found, or security support has ended. 293 |
- --fail-support 294 |
- generate a 20 exit code if the version of Node.js no longer gets active (bug) support. 295 |
- --fail-patch 296 |
- generate a 30 exit code if there is a newer patch-level release. 297 |
- --fail-minor 298 |
- generate a 40 exit code if there is a newer minor-level release. 299 |
- --fail-latest 300 |
- generate a 50 exit code if there is a newer release. 301 |
- --no-update 302 |
- do not download the latest rules. NOT RECOMMENDED! 303 |
- --silent 304 |
- do not write any error messages to STDERR. 305 |
- --v 306 |
- 307 | Set verbosity. v=warnings, vv=info, vvv=debug. Default is error. All logging writes to STDERR. 308 | 309 |
Output
314 |-
315 |
- • auditVersion: string 316 |
- The version of Node.js that is being audited. 317 |
- • hasVulnerabilities: bool 318 |
- If the auditVersion has any known CVEs or not. 319 |
- • hasSupport: bool 320 |
- If the auditVersion is still receiving support. 321 |
- • supportType: string 322 |
- The current support status of auditVersion: 'current'|'active'|'maintenance'|'none'. 323 |
- • isLatestPatchVersion: bool 324 |
- If auditVersion is the latest patch-level release (17.9.x). 325 |
- • isLatestMinorVersion: bool 326 |
- If auditVersion is the latest minor-level release (17.x.x). 327 |
- • isLatestVersion: bool 328 |
- If auditVersion is the latest release (x.x.x). 329 |
- • latestPatchVersion: string 330 |
- The latest patch-level version for auditVersion. 331 |
- • latestMinorVersion: string 332 |
- The latest minor-level version for auditVersion. 333 |
- • latestVersion: string 334 |
- The latest Node.js version. 335 |
- • activeSupportEndDate: string|null 336 |
- ISO8601 formatted date for the end of active support for auditVersion. 337 |
- • supportEndDate: string|null 338 |
- ISO8601 formatted date for the end of maintenance support for auditVersion. 339 |
- • rulesLastUpdatedDate: string 340 |
- ISO8601 formatted date for the last time the rules were auto-updated. 341 |
- • vulnerabilities: object 342 |
- 343 | CVEs known to affect auditVersion with details about the CVE. CVE Details might be null for 344 | recently discovered CVEs. 345 | 346 |
Project Goals
350 |-
351 |
- 352 | Always use update-to-date information and fail if it becomes too stale. Since this tool is 353 | designed to help its users stay informed, it must in turn fail if it becomes outdated. 354 | 355 |
- 356 | Fail if the requested information is unavailable. ex. auditing an unknown version of Node.js 357 | like 12.50.0, or 0.9.0. Again, since this tool is designed to help its users stay informed, it 358 | must in turn fail if the requested information is unavailable. 359 | 360 |
- Work in both open and closed networks (as long as the tool is up-to-date). 361 |
- Minimal footprint and dependencies (no runtime dependencies). 362 |
- 363 | Runtime support for the oldest supported version of Node.js. If you are using this tool with an 364 | unsupported version of Node.js, then you already have all the answers that this tool can give 365 | you: Yes, you have vulnerabilities and are out of date. Of course that is just for the run-time, 366 | it is still the goal of this project to supply information about any reasonable version of 367 | Node.js. 368 | 369 |
License & Acknowledgments
373 |-
374 |
- 375 | This project is released under the 376 | Apache License 2.0. 379 | 380 |
- 381 | The accuracy of the information provided by this project cannot be verified or guaranteed. All 382 | functions are provided as convenience only and should not be relied on for accuracy or 383 | punctuality. 384 | 385 |
- 386 | The logo was created using Mathias Pettersson and Brian Hammond's 387 | Node.js Logo as the base 388 | image. The logo has been modified from its original form to include overlay graphics. 389 | 390 |
- 391 | This project and the use of the modified Node.js logo is not endorsed by Mathias Pettersson or 392 | Brian Hammond. 393 | 394 |
- This project and the use of the Node.js name is not endorsed by OpenJS Foundation. 395 |
- 396 | CVE details and descriptions are downloaded from National Institute of Standard and Technology's 397 | National Vulnerability Database. This project and the use of 398 | CVE information is not endorsed by NIST or the NVD. CVE details are provided as convenience 399 | only. The accuracy of the information cannot be verified. 400 | 401 |
- 402 | Node.js release details and support dates are generated from 403 | Changelogs 404 | and the 405 | Release Schedule. The 406 | accuracy of the information cannot be verified. 407 | 408 |