Comparing npm Audit Versus AuditJS
A while back I wrote a blog post after a colleague shared a new JavaScript auditing tool called AuditJS. I wanted to update that based on more time with the tool, particularly since a new version was recently released!
AuditJS is a free tool leveraging Sonatype’s OSS Index. OSSI exposes a ReST API aggregating several security vulnerability feeds including CVE, CWE and NVD. OSSI continues to evolve by adding more data sources and benefits from ongoing curation of existing feeds. The effort required to mine so much data is conveniently abstracted away as it should be by a good tool — setup AuditJS to reap the benefits!
The 4.x release brought a lot of bug fixes and usability enhancements based on community feedback… Installation is quick and easy, if you want to run AuditJS as a NPM script just npm i auditjs -D to get started. I prefer running it via npx auditjs ossi.
You can use it as a one-off CLI or easily integrate with your CI/CD pipelines. It’s possible to integrate with the commercial IQ Server (benefits from additional curation including both human and machine intelligence), but it is completely free to use with OSSI. You might want to register for a free account, but even that is not required. The one benefit of an account is removing the rate-limit which can affect larger projects. I haven’t hit rate-limit issues in my typically-sized NodeJS projects. You can even submit vulnerability reports via an awesome Git-based process.
Let’s see what it looks like, and talk about a couple things which might surprise you when comparing to npm audit:
➜ npx auditjs ossi
________ ___ ___ ________ (Read more...)*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Mike Hoskins. Read the original post at: https://blog.sonatype.com/compare-npm-audit-versus-auditjs
