Skip to main content

Find vulnerabilities in JavaScript with Yarn

You can scan JavaScript in Yarn repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging JavaScript and TypeScript applications.

Scan your code

You can scan Yarn projects but not Yarn workspaces. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript-yarn

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Yarn code. The scope directive requires Yarn-specific configurations.

Before you begin:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Yarn repository.
  • Have NPM 2.10.0 or later installed on the local path.
  • Include the yarn.lock file in the repository to scan.
  • Include the package.json file in the repository to scan, in the same directory as the yarn.lock file.
  • Have Yarn installed through NPM and located on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. To test that the agent can build the project before scanning, run:

node -e var fs= require('fs'); \
  var parse= require('../lib/lockfile/parse.js').default; \
  var contents= fs.readFileSync('/path/to/example-javascript-yarn/yarn.lock', 'utf8'); \
  console.log(JSON.stringify(parse(contents)));

To complete this task:

At the command line, run the scan command pointed to the directory of the Yarn repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Using Non-standard Encodings vulnerability in Express, version 4.1.1 in the example-javascript-yarn project.

To complete this task:

  1. To edit the Yarn file in the root of the project, run:

    yarn upgrade [email protected]
    yarn install --flat

  2. Validate the fix.

Fix example transitive vulnerability

Because Yarn projects, version 1.0 or greater, allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

  1. Add this resolutions section to your package.json file:

    "resolutions": {
      "cookie-signature": "1.0.4"
    }

    If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.

  2. Run the yarn install command.

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Fix example transitive vulnerability

Because Yarn projects, version 1.0 or earlier, allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

  1. To install cookie-signature library 1.0.4, run:

    yarn add [email protected]

  2. Run the following command and, when prompted, choose the latest version:

    yarn install --flat

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Last updated on