Skip to content

Auto-remediation has no diff for yarn.lock

Summary

When processing a Yarn project, Auto-Remediation for Dependency Scanning doesn't include changes to yarn.lock, even though these changes are the remediation itself.

Because of that, a remediation is not generated unless there's a change to package.json, even if this change isn't relevant. In any case, there's no diff for yarn.lock, and the remediation is invalid.

See initial bug report

While trying out the suggested solutions feature as per the docs: https://docs.gitlab.com/ee/user/application_security/#solutions-for-vulnerabilities-auto-remediation - one of customers faced an issue with the recommended solution for the detected vulnerability Improper Input Validation in minimist

The solution is to just re-order the dependencies - which didn't solved the vulnerability:

--- a/package.json
+++ b/package.json
@@ -17,11 +17,11 @@
   },
   "dependencies": {
+    "bootstrap-select": "1.13.6",
     "handlebars": "^4.1.2"
-    "bootstrap-select": "1.13.6",
     "saml2-js": "1.6.0"
   },
   "devDependencies": {

Just wondering if this feature is working as expected as mentioned on the docs or else it's still in the early stages.

Tried to replicate the issue and the recommended solution shows a similar patter for this vulnerability

Any insights on this would be super helpful.

ZD: https://gitlab.zendesk.com/agent/tickets/158755 (Internal)

Further details

Auto-remediation for Yarn is implemented in the gemnasium project. It relies on the yarn CLI to update package.json and yarn.lock, respectively the editable dependency file and the generated lock file.

yarn might update package.json even thought the dependencies haven't changed. It particular, it might reformat the JSON document, reorder the dependencies, or add an EOL character at the end of the files. Such changes are irrelevant but are nevertheless included in the remediation diff.

yarn also updates yarn.lock, but for some reason this is not included in the remediation diff. This is the main problem since yarn.lock needs to be updated in order to remediate the vulnerability.

Since yarn.lock is ignored when generating the diff, we get no diff when package.json is unchanged, thus no remediation. Also, we get an irrelevant diff when yarn simply reformats package.json.

Steps to reproduce

  1. Import https://gitlab.com/enriquesantosblanco/dependency-vulnerability-comparison-yarn
  2. Create MR that adds empty space to package.json and merge it once pipeline is passing.
  3. Go to security dashboard and find Modification of Assumed-Immutable Data (MAID) in lodash
  4. Create remediations for this vulnerability

See #220487 (comment 406058352)

Example Project

What is the current bug behavior?

The vulnerability has a remediation where only package.json is reformatted. This doesn't solve the vulnerability.

What is the expected correct behavior?

The remediation updates yarn.lock. Also, ideally the remediation doesn't update package.json with changes that are not relevant to the remediation.

Relevant logs and/or screenshots

Possible fixes

  • Figure out why gemnasium doesn't include yarn.lock in the remediation diff.
  • Make sure auto-remediation is skipped when package.json changes but yarn.lock doesn't.
  • Make sure this is covered by QA, using test projects.

ZD: https://gitlab.zendesk.com/agent/tickets/158755 (Internal)

Edited by Fabien Catteau