diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index f2d257b394b..00000000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,21 +0,0 @@ -# This monitors all projects in this repository, beecause the DevX workflow -# passes `--all-projects` to `snyk monitor` -# This will monitor dotcom-rendering, apps-rendering, storybook etc -name: Snyk -on: - schedule: - - cron: '0 6 * * *' - push: - branches: - - main - workflow_dispatch: -permissions: - contents: read -jobs: - security: - uses: guardian/.github/.github/workflows/sbt-node-snyk.yml@main - with: - ORG: guardian-dotcom-n2y - SKIP_SBT: true - secrets: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/dotcom-rendering/README.md b/dotcom-rendering/README.md index 71f4d2ba862..5b446063dc2 100644 --- a/dotcom-rendering/README.md +++ b/dotcom-rendering/README.md @@ -143,9 +143,9 @@ See [the makefile](https://github.com/guardian/dotcom-rendering/blob/main/dotcom [Read about testing tools and testing strategy](docs/testing.md). -### Snyk Code Scanning +### Vulnerabilities -There's a Github action set up on the repository to scan for vulnerabilities. This is set to "continue on error" and so will show a green tick regardless. In order to check the vulnerabilities we can use the Github code scanning feature in the security tab and this will list all vulnerabilities for a given branch etc. You should use this if adding/removing/updating packages to see if there are any vulnerabilities. +To check for vulnerabilities, use the Github code scanning feature in the security tab. This will list all vulnerabilities for a given branch etc. You should use this if adding/removing/updating packages to see if there are any vulnerabilities. ## IDE setup diff --git a/dotcom-rendering/docs/development/detecting-and-correcting-vulnerabilities-with-snyk.md b/dotcom-rendering/docs/development/detecting-and-correcting-vulnerabilities-with-snyk.md deleted file mode 100644 index d1759eb9540..00000000000 --- a/dotcom-rendering/docs/development/detecting-and-correcting-vulnerabilities-with-snyk.md +++ /dev/null @@ -1,32 +0,0 @@ -# Detecting and correcting vulnerabilities with Snyk - -_note: the following documentation is based on the PR [here](https://github.com/guardian/dotcom-rendering/pull/3116)_ - -## Snyk background - -**Snyk** is a security tool to identify security vulnerabilities within your code dependencies and, where possible, suggest upgrades or patches to fix these vulnerabilities. - -Implementations of Snyk: There are various including on Snyk's own servers or as part of continuous deployment. The two I am familiar with are running Snyk as part of continuous integration process (Github actions) or by developers manually using the Snyk CLI (often as part of a rota). - -The problem(s): In a reasonably well-maintained and contemporary codebase, it is more often than not the case that there are no fixes available for the problems Snyk can identify. As it is a robust tool, it can generally identify quite a few problems. This means Snyk will become very noisy about things that developers have no recourse to fix (short of rewriting the library/plugin/dependency the codebase is reliant on). - -In the case of the continuous integration implementation above, Snyk vulnerabilities will result in a "failing" Github action, which may cause a developer to think the build is broken, or over time, will rightly cause a developer to ignore this action entirely, as the "fail" has taught them that there is not actually a problem they can fix. As we "code in the open," it is also the case that we are revealing to the world known unfixed vulnerabilities in our codebase, although infosec has informed us they do not view this as a concern that outweighs the benefits of this implementation -- the benefits being the frequent reminders to devs that the codebase has vulnerabilities. - -## Snyk wizard rota (adopted approach) - -An alternative approach is to implement a rota for developers to manually run Snyk wizard via the CLI. Snyk has been added as a dev dependency, so once it is installed, you may run with: - -``` -make snyk -``` - -Running `make snyk` takes you through all your codebase vulnerabilities one-by-one and gives you the option to upgrade and patch where available. For all other packages, it gives you the choice to ignore the vulnerability completely _or_ to add them to a Snyk policy file (`.snyk`) with an ignore expiration of 30 days. Choosing the latter means that you are acknowledging that the vulnerability has been reported and that there is nothing that can be done for it immediately, and that we are comfortable "skipping" this check for 30 days, when we can check again to see if a patch has been released. - -**In the case that a patch or upgrade is available** it is important that we either have confidence that our tests or codebase will uncover if the upgrade is a "breaking change" or not. - -Before adding any new packages, you can also use sneak to test for vulnerabilities, which is a good thing to incorporate into your dev workflow - -``` -$ snyk test lodash # test latest -$ snyk test lodash@1.0.1 # test specific version -``` diff --git a/dotcom-rendering/docs/snyk/how-to.md b/dotcom-rendering/docs/snyk/how-to.md deleted file mode 100644 index e1bdc5dfb8e..00000000000 --- a/dotcom-rendering/docs/snyk/how-to.md +++ /dev/null @@ -1,52 +0,0 @@ -## Snyk how to guide - -### Pre-requisite - -Ask your EM or DevX to add you to `guardian-dotcom-n2y` Snyk organisation. - -### How to log in - -1. Make sure you are logged in your Guardian Google account. -2. Visit [https://app.snyk.io/login](https://app.snyk.io/login) -3. Either click on the Google button

![snyk_google_login](snyk_google_login.png)

or if you don't see this option click on "Log in with your company SSO", enter your Guardian Google email and proceed. - -### What is the DCR Snyk dashboard structure? - -The current Snyk structure - -![snyk_dcr_structure](snyk-dcr-structure.png) - -corresponds to the following DCR structure: - -``` - dotcom-rendering (@guardian/dotcom-rendering) - dotcom-rendering (dotcom-rendering) - apps-rendering (apps-rendering) - common-rendering (soon to be removed and deactivated in Snyk) - storybooks (storybooks) -``` - -### How to run Snyk locally? - -1. Install the Snyk CLI - - using npm: `npm install snyk -g` -2. Authenticate your machine to associate the Snyk CLI with your Snyk account. There are currently two ways to do this locally: - - Run `snyk auth`. This will open a browser window with prompts to log in to your Snyk account and authenticate. If you're already logged it, you will be authenticated automatically. - - Using your API token. To do this follow the instructions in the [official documentation](https://docs.snyk.io/snyk-cli/authenticate-the-cli-with-your-account). -3. Run: - - `make snyk` for `@guardian/dotcom-rendering`. - - `make snyk-dcr` for `dotcom-rendering` - - `make snyk-ar` for `apps-rendering` - - `make snyk-storybooks` for `storybooks` - -This is especially helpful if you want to know early in the development cycle whether you have fixed a vulnerability or to make sure you haven't introduced a new one. - -### How to ignore a vulnerability? - -By using the UI you can get the following options when you click "Ignore":

-![How to ingore a vulnerabilty](snyk-screenshot.png) - -### How to see previous scans of a project? - -You can find previous scans (up to a day ago) in the `History` tab. This can be useful if you would like to check whether your merged change had an effect on the number of vulnerabilities.

-![Snyk_History](snyk-history.png) diff --git a/dotcom-rendering/docs/snyk/snyk-dcr-structure.png b/dotcom-rendering/docs/snyk/snyk-dcr-structure.png deleted file mode 100644 index 2abcc4a7750..00000000000 Binary files a/dotcom-rendering/docs/snyk/snyk-dcr-structure.png and /dev/null differ diff --git a/dotcom-rendering/docs/snyk/snyk-history.png b/dotcom-rendering/docs/snyk/snyk-history.png deleted file mode 100644 index 1f284a2e59f..00000000000 Binary files a/dotcom-rendering/docs/snyk/snyk-history.png and /dev/null differ diff --git a/dotcom-rendering/docs/snyk/snyk-screenshot.png b/dotcom-rendering/docs/snyk/snyk-screenshot.png deleted file mode 100644 index 8eb25bc2403..00000000000 Binary files a/dotcom-rendering/docs/snyk/snyk-screenshot.png and /dev/null differ diff --git a/dotcom-rendering/docs/snyk/snyk_google_login.png b/dotcom-rendering/docs/snyk/snyk_google_login.png deleted file mode 100644 index 316f887ff15..00000000000 Binary files a/dotcom-rendering/docs/snyk/snyk_google_login.png and /dev/null differ diff --git a/dotcom-rendering/docs/snyk/snyk_google_sso.png b/dotcom-rendering/docs/snyk/snyk_google_sso.png deleted file mode 100644 index 01ff6306ffe..00000000000 Binary files a/dotcom-rendering/docs/snyk/snyk_google_sso.png and /dev/null differ diff --git a/dotcom-rendering/makefile b/dotcom-rendering/makefile index eec23b732bc..2004ece51e1 100644 --- a/dotcom-rendering/makefile +++ b/dotcom-rendering/makefile @@ -203,20 +203,3 @@ gen-fixtures: perf-test: @node scripts/perf/perf-test.js - -# Because Snyk finds vulnerabilities snyk test command exits with error code 1 and make picks it up. -# Adding - at the beginning of the command ignores the error and we're getting: -# make: [snyk] Error 1 (ignored) -# See docs: https://www.gnu.org/software/make/manual/html_node/Errors.html#:~:text=To%20ignore%20errors%20in%20a,to%20the%20shell%20for%20execution.&text=This%20causes%20make%20to%20continue,unable%20to%20remove%20a%20file - -snyk: - -@snyk test --severity-threshold=high --file="../package.json" - -snyk-dcr: - -@snyk test --severity-threshold=high --file=package.json - -snyk-ar: - -@snyk test --severity-threshold=high --file=../apps-rendering/package.json - -snyk-storybooks: - -@snyk test --severity-threshold=high --file=../storybooks/package.json diff --git a/dotcom-rendering/package.json b/dotcom-rendering/package.json index ddefcf7c516..c17338bb49b 100644 --- a/dotcom-rendering/package.json +++ b/dotcom-rendering/package.json @@ -221,7 +221,6 @@ "semver": "7.5.4", "serve-static": "1.15.0", "simple-progress-webpack-plugin": "2.0.0", - "snyk": "1.1103.0", "source-map": "0.7.4", "start-server-and-test": "2.0.3", "storybook": "7.6.6", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b5dcee86c4e..48e0796559d 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -867,9 +867,6 @@ importers: simple-progress-webpack-plugin: specifier: 2.0.0 version: 2.0.0(webpack@5.89.0) - snyk: - specifier: 1.1103.0 - version: 1.1103.0 source-map: specifier: 0.7.4 version: 0.7.4 @@ -6686,15 +6683,6 @@ packages: '@sentry/utils': 7.75.1 dev: false - /@sentry-internal/tracing@7.88.0: - resolution: {integrity: sha512-xXQdcYhsS+ourzJHjXNjZC9zakuc97udmpgaXRjEP7FjPYclIx+YXwgFBdHM2kzAwZLFOsEce5dr46GVXUDfZw==} - engines: {node: '>=8'} - dependencies: - '@sentry/core': 7.88.0 - '@sentry/types': 7.88.0 - '@sentry/utils': 7.88.0 - dev: false - /@sentry/browser@7.75.1: resolution: {integrity: sha512-0+jPfPA5P9HVYYRQraDokGCY2NiMknSfz11dggClK4VmjvG+hOXiEyf73SFVwLFnv/hwrkWySjoIrVCX65xXQA==} engines: {node: '>=8'} @@ -6714,14 +6702,6 @@ packages: '@sentry/utils': 7.75.1 dev: false - /@sentry/core@7.88.0: - resolution: {integrity: sha512-Jzbb7dcwiCO7kI0a1w+32UzWxbEn2OcZWzp55QMEeAh6nZ/5CXhXwpuHi0tW7doPj+cJdmxMTMu9LqMVfdGkzQ==} - engines: {node: '>=8'} - dependencies: - '@sentry/types': 7.88.0 - '@sentry/utils': 7.88.0 - dev: false - /@sentry/integrations@7.75.1: resolution: {integrity: sha512-qSCyTNX3DiL1aYRmdq10LRhPLfh1KJYKhbmGszC1PII4mt9FbLVmC8fSXiDbhgiuSUKKrDE+J2lC//w688lvHw==} engines: {node: '>=8'} @@ -6732,19 +6712,6 @@ packages: localforage: 1.10.0 dev: false - /@sentry/node@7.88.0: - resolution: {integrity: sha512-X6Xyh7AEitnWqn1CHQrmsUqRn0GKj/6nPE5VC2DLQfHiFH1Fknrt+csFzDchQ/86awXYwuY4Le5ECEH//X/WzQ==} - engines: {node: '>=8'} - dependencies: - '@sentry-internal/tracing': 7.88.0 - '@sentry/core': 7.88.0 - '@sentry/types': 7.88.0 - '@sentry/utils': 7.88.0 - https-proxy-agent: 5.0.1 - transitivePeerDependencies: - - supports-color - dev: false - /@sentry/replay@7.75.1: resolution: {integrity: sha512-MKQTDWNYs9QXCJ+irGX5gu8Kxdk/Ds5puhILy8+DnCoXgXuPFRMGob1Sxt8qXmbQmcGeogsx221MNTselsRS6g==} engines: {node: '>=12'} @@ -6760,11 +6727,6 @@ packages: engines: {node: '>=8'} dev: false - /@sentry/types@7.88.0: - resolution: {integrity: sha512-FvwvmX1pWAZKicPj4EpKyho8Wm+C4+r5LiepbbBF8oKwSPJdD2QV1fo/LWxsrzNxWOllFIVIXF5Ed3nPYQWpTw==} - engines: {node: '>=8'} - dev: false - /@sentry/utils@7.75.1: resolution: {integrity: sha512-QzW2eRjY20epD//9/tQ0FTNwdAL6XZi+LyJNUQIeK3NMnc5NgHrgpxId87gmFq8cNx47utH1Blub8RuMbKqiwQ==} engines: {node: '>=8'} @@ -6772,13 +6734,6 @@ packages: '@sentry/types': 7.75.1 dev: false - /@sentry/utils@7.88.0: - resolution: {integrity: sha512-ukminfRmdBXTzk49orwJf3Lu3hR60ZRHjE2a4IXwYhyDT6JJgJqgsq1hzGXx0AyFfyS4WhfZ6QUBy7fu3BScZQ==} - engines: {node: '>=8'} - dependencies: - '@sentry/types': 7.88.0 - dev: false - /@sideway/address@4.1.4: resolution: {integrity: sha512-7vwq+rOHVWjyXxVlR76Agnvhy8I9rpzjosTESvmhNeXOXdZZB15Fl+TI9x1SiHZH5Jv2wTGduSxFDIaq0m3DUw==} dependencies: @@ -19987,17 +19942,6 @@ packages: tslib: 2.6.2 dev: false - /snyk@1.1103.0: - resolution: {integrity: sha512-ySlM7VI4H09ReVMe8iB1aB5xNzY29YgLOeDmfPp1jo/d7aZWW8aXfAzOcXEcLDmX9HWmmTnzY4aGiULmHNQ1HA==} - engines: {node: '>=12'} - hasBin: true - requiresBuild: true - dependencies: - '@sentry/node': 7.88.0 - transitivePeerDependencies: - - supports-color - dev: false - /sockjs@0.3.24: resolution: {integrity: sha512-GJgLTZ7vYb/JtPSSZ10hsOYIvEYsjbNU+zPdIHcUaWVNUEPivzxku31865sSSud0Da0W4lEeOPlmw93zLQchuQ==} dependencies: