Running NSP Offline

Node Security Project (nsp), the command line tool to check Javascript projects for use of insecure packages is a great way to start any assessment. It’s a quick and easy check to run. Recently, while performing an assessment I needed to run nsp against multiple applications while flying. Instead of paying a ridiculous amount for GoGo inflight wifi, I setup my laptop to be able to run nsp while offline.

You’ll need to do this setup before you lose internet access.

First you’ll need to create an npm-shrinkwrap.json for each project. From the documentation:

This command repurposes package-lock.json into a publishable npm-shrinkwrap.json or simply creates a new one. The file created and updated by this command will then take precedence over any other existing or future package-lock.json files.
$ npm shrinkwrap

If you run into errors you may need to follow the steps here to get npm shrinkwrap to work.

Next we’ll need to download the advisories.json file that has all of the known insecure packages nsp checks. You can download this to your home directory and point nsp to it during the scan.

$ curl -sS https://api.nodesecurity.io/advisories -o ~/advisories.json

One issue with this is that the Node Security API paginates by 100 for the advisories. We have to pull down all 384 (as of 9/19/17) advisories to make this actually effective. I’ll update this blog with a solution soon..

Finally, we’ll run nsp in offline mode. We need to pass in a couple options. You’ll need to have your npm-shrinkwrap.json in the same directory you’re running this from. You’ll pass in the location to the advisories.json as well.

$ nsp check --offline --advisoriesPath=/path/to/advisories.json -o summary
(+) No known vulnerabilities found

And we’re good!