CI/CD-NPM_auditbuild scripts

[udaymattam]

Summary

Creating "npm audit" during the ci/cd build

What was changed:

Why it was changed:

Testing

This change was tested using:

• WDIO
• Jest
• Visual testing (please attach a screenshot or recording)
• Other (please describe below)
• No tests are needed

Reviews

In addition to engineering reviews, this PR needs:

• UX review
• Accessibility review
• Functional review

Additional Details

This PR resolves:

UXPLATFORM-XXXX

---

Thank you for contributing to Terra.
@cerner/terra

[sdadn]

What is the purpose for this change?

[udaymattam]

What is the purpose for this change?

https://jira2.cerner.com/browse/UXPLATFORM-8278 - this is a Pr audit will run when a PR builds. as of now it will give audit report & log all the vulnerabilities. if we want to fail we can fail for critical & high vulnerabilities that will be feature enhancement.

[sycombs]

What is the purpose for this change?

https://jira2.cerner.com/browse/UXPLATFORM-8278 - this is a Pr audit will run when a PR builds. as of now it will give audit report & log all the vulnerabilities. if we want to fail we can fail for critical & high vulnerabilities that will be feature enhancement.

Do we really want to fail builds for vulnerabilities or should we just run the audit script separately from the CI/CD periodically and log Jiras based on that?

[sdadn]

Do we really want to fail builds for vulnerabilities or should we just run the audit script separately from the CI/CD periodically and log Jiras based on that?

Yeah I don't think we should fail builds, this will add potential blockers to merging PRs & doing releases. I also have concerns about inflating build times if we're only going to throw out warnings.

[udaymattam]

Do we really want to fail builds for vulnerabilities or should we just run the audit script separately from the CI/CD periodically and log Jiras based on that?

Yeah I don't think we should fail builds, this will add potential blockers to merging PRs & doing releases. I also have concerns about inflating build times if we're only going to throw out warnings.

What is the purpose for this change?

https://jira2.cerner.com/browse/UXPLATFORM-8278 - this is a Pr audit will run when a PR builds. as of now it will give audit report & log all the vulnerabilities. if we want to fail we can fail for critical & high vulnerabilities that will be feature enhancement.

Do we really want to fail builds for vulnerabilities or should we just run the audit script separately from the CI/CD periodically and log Jiras based on that?

we are not failing the build for vulnerabilities. And compared the build time and it doesn't take much time(< 201 325ms ) . moreover it is used to see how many CVES (vulnerability's) are monitoring.

[sdadn]

If it's simply a matter of monitoring CVE's then those are output from npm install anyway e.g.

npm audit simply gives a detailed report with potential fixes. I do not see any advantage of adding this command to the CICD when it should be run locally.

[kenk2]

Agreed with @sdadn and @sycombs . If we introduce this into the CI, we'll either ignore it if it doesn't fail the build or it will become a needless blocker of our work if it does.

[stale]

This issue has been automatically marked as inactive because it has not had recent activity. It will be closed in seven days if no further activity occurs. Thank you for your contributions.