Support HTTPS proxy settings of RetireJS
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Release Notes
Thanks to community contributor ankur sethi and their patience Dependency Scanning now supports proxy settings in RetireJS by respecting the HTTPS_PROXY environment variable. If HTTPS_PROXY is set, it will be passed to the retire command line as a CLI option. Thank you!
Problem to solve
As a software developer I want to run retirejs behind a corporate proxy so I do not have to create and maintain the RETIREJS_JS_ADVISORY_DB and RETIREJS_NODE_ADVISORY_DB manually.
Intended users
User experience goal
Currently retire.js's proxy support is unused because it does not respect the HTTPS_PROXY environment variables. If HTTPS_PROXY is set, it should be pass to the retire command line as a CLI option.
Proposal
The retire.js analyzer should check for the HTTPS_PROXY environment variable being set. If set it should set the --proxy option of the retire command accordingly.
Alternatively you can give a Retire.JS command line ENV variable which can be configured for the dependency scanner. This will allow setting additional options.
Implementation plan
-
add support for HTTPS_PROXYgitlab-org/security-products/analyzers/retire.js!93 (merged) -
add specific test to the CI config (downstream pipeline using a supported Secure test project) -
update documentationThis is a generic variable that we do not document explicitely. We might have a generic statement added for these variables: !76410 (merged)
Further details
If you check out the README for the retire.js command line you will notice it has an entry for Proxy URL:
--proxy <url> Proxy url (http://some.sever:8080)Further if you check the code https://github.com/RetireJS/retire.js/blob/1aba081b5d5363add13710edeb470d5eb4f3c914/node/lib/repo.js
if (options.proxy) {
reqOptions.agent = new HttpsProxyAgent(options.proxy);
}You can see that it does not use the HTTPS_PROXY env variables. It relies on the the command line option being set to use the proxy. Therefore retire.js does not support a proxy from the ENV variables and there is no way to configure the options to retire.js from the Dependency Scanner.
Permissions and Security
N/A
Documentation
To be documented in Configuring specific analyzers used by dependency scanning See implementation plan.
We might also add a doc section about setting up HTTPS proxies. This section would list the Dependency Scanning analyzers supporting proxy settings.
Availability & Testing
To be tested using one of the supported Secure test projects:
- create a new branch in tests/js-npm or tests/js-yarn where a proxy is set up; see offline-FREEZE branch of
tests/js-npm - update the CI configuration of the retire.js analyzer, and add a QA job that uses this branch and where
HTTPS_PROXYis set in thevariablesof the job definition; seejs-npm-offline-qa
The test should set up a proxy to access jsrepository.json, npmrepository.json, and to npmjs.com. Direct access to these must be blocked. All this can be done in the before_script of the scanning job, similar to what is done for the offline-FREEZE branch. See https://gitlab.com/gitlab-org/security-products/tests/js-npm/-/blob/offline-FREEZE/.gitlab-ci.yml#L34
What does success look like, and how can we measure that?
The Retire.js analyzer runs behind an HTTPS proxy.
What is the type of buyer?
Is this a cross-stage feature?
No