react-native-windows icon indicating copy to clipboard operation
react-native-windows copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Fix NPM compliance issues detected by Secure Supply Chain Analysis

Open jonthysell opened this issue 1 year ago • 5 comments

Problem Description

The Secure Supply Chain Analysis task runs on our publish and compliance pipelines, and has detected multiple issues with how we consume NPM packages.

Detection logic: https://docs.opensource.microsoft.com/tools/nuget_security_analysis/azure_artifacts_checks/ Specific remedies for each error type: https://aka.ms/cfs

##[warning]packages/e2e-test-app/.npmrc - CFS0002: missing registry option.
##[warning]packages/sample-apps/.npmrc - CFS0002: missing registry option.
##[warning]vnext/.npmrc - CFS0002: missing registry option.
##[warning]package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@office-iss/react-native-win32-tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@office-iss/react-native-win32/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation-channel/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation-commands/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/src/e2etest/projects/BarPackage/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/src/e2etest/projects/FooPackage/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/codegen/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/find-repo-root/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/fs/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/package-utils/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/telemetry/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/virtualized-list/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native/repo-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native/tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/babel-node-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/beachball-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/create-github-releases/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/doxysaurus/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/eslint-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/format-files/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/generated-beachball-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/integrate-rn/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-debug-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-e2e-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-out-of-snapshot-resolver/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-out-of-tree-resolver/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-unittest-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/just-task/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/metro-dev-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/promote-release/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/stamp-version/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/take-screenshot/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/ts-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/debug-test/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/integration-test-app/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/playground/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/react-native-platform-override/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/react-native-windows-init/package.json - CFS0001: missing sibling .npmrc file.
##[warning]vnext/src/babel-plugin-codegen/package.json - CFS0001: missing sibling .npmrc file.

Steps To Reproduce

See results from the task running in a pipeline: Pipelines - Run RNW_0.0.0-canary.538 logs

Expected Results

No response

CLI version

npx react-native --version

Environment

npx react-native info

Target Platform Version

No response

Target Device(s)

No response

Visual Studio Version

No response

Build Configuration

No response

Snack, code example, screenshot, or link to a repository

No response

jonthysell avatar Aug 04 '22 18:08 jonthysell

Note, these warnings all look like they assume a closed-source project which requires MSFT AAD credentials to authenticate and download packages to build the source.

So this may just need to go on the backlog until compliance has a solution for teams which produce OSS that customers build from source.

jonthysell avatar Aug 04 '22 19:08 jonthysell

One workaround would be to create the approved, authenticated ADO NPM feed but only add it to the .npmrc files in CI. We could call a script as a part of the a git post-checkout hook.

jonthysell avatar Aug 04 '22 21:08 jonthysell

Also, I don't know how long this has been a problem, no-one's complaining about this, I just noticed it when fixing the NuGet feed issues. I hadn't seen that the compliance task now also checks NPM stuff.

jonthysell avatar Aug 04 '22 22:08 jonthysell

What's the difference between an error vs. warning from this tool? How important are these issues?

chrisglein avatar Aug 08 '22 18:08 chrisglein

What's the difference between an error vs. warning from this tool? How important are these issues?

Like I said, no one's reached out and complained about this, we've been ignoring the warnings for a long while now. However there may be some changes to that policy, currently on an internal thread with @dannyvv and CFS folks.

jonthysell avatar Aug 09 '22 16:08 jonthysell