Coder Social home page Coder Social logo

monch1962 / docker-accessibility-check Goto Github PK

View Code? Open in Web Editor NEW
2.0 2.0 0.0 734 KB

Docker container to run Axe accessibility tests against URLs

License: MIT License

Dockerfile 19.44% TypeScript 66.14% Shell 14.42%
accessibility docker axe-core playwright-typescript

docker-accessibility-check's Introduction

docker-accessibility-check

Overview

This tool is designed to allow accessibility tests from Docker containers, and support pipelined accessibility testing. The data it returns (JSON and exit codes) is simple to consume using CI toolsets

Why a Docker image?

Being implemented as a Docker image brings advantages for CI use:

  • most CI tools have established patterns for using and consuming tools implemented as Docker images
  • there's no complex config/build/install dependencies required to use the tool; just build the Docker image on any Docker host and start using it
  • the Docker image can be versioned and stored to align with an organisation's security controls and infrastructure capability
  • a reference Docker image can be maintained in a public repository for general purpose consumption by anyone not interested in what's going on behind the scenes
  • Docker brings a level of long-term security; it's not going away as a platform any time soon
  • I can modernise how the tool works 'under the covers', even to the extent of changing languages and frameworks, without impacting anyone consuming the tool

Implementation

Like many non-trivial open-source tools, this tool is built on top of a whole bunch of great tools:

Usage

To build Docker image locally

$ docker build -t check-accessibility .

To run from a local copy

$ docker run -e URL=https://jsonplaceholder.typicode.com -v $(pwd)/results:/usr/src/app/results check-accessibility:latest

You'll then see accessibility violations in JSON and HTML formats under the ~/results directory

To push to GCP ECR

$ docker build -t check-accessibility .

$ docker tag check-accessibility:latest gcr.io/check-accessibility/check-accessibility:0.1

$ docker push gcr.io/check-accessibility/check-accessibility:0.1

To pull & run from GCP ECR

$ docker pull gcr.io/check-accessibility/check-accessibility:0.1

$ docker run -e URL=https://jsonplaceholder.typicode.com -v $(pwd)/results:/usr/src/app/results gcr.io/check-accessibility/check-accessibility:0.1

You'll then see accessibility violations in JSON and HTML formats under the ~/results directory

docker-accessibility-check's People

Contributors

mend-bolt-for-github[bot] avatar monch1962 avatar

Stargazers

avatar avatar

Watchers

avatar avatar

docker-accessibility-check's Issues

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz

CVE-2022-25851 - High Severity Vulnerability

Vulnerable Library - jpeg-js-0.4.3.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jpeg-js/package.json

Dependency Hierarchy:

  • playwright-1.10.0.tgz (Root Library)
    • jpeg-js-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: ee72b8b6c5613d7cd6fb7f1f7b70ba20bd8c6821

Found in base branch: main

Vulnerability Details

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

Publish Date: 2022-06-10

URL: CVE-2022-25851

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution (jpeg-js): 0.4.4

Direct dependency fix Resolution (playwright): 1.11.0-1620262237000

Step up your Open Source Security Game with Mend here

qemu-x86_64: Could not open '/lib64/ld-linux-x86-64.so.2': No such file or directory

On Mac OS ( Macbook M1 )

% **docker run -e URL=https://jsonplaceholder.typicode.com -v $(pwd)/results:/usr/src/app/results check-accessibility:latest**
node:internal/process/promises:261
          triggerUncaughtException(err, true /* fromPromise */);
          ^

browserType.launch: Protocol error (Browser.getVersion): Browser closed.
==================== Browser output: ====================
<launching> /ms-playwright/chromium-857950/chrome-linux/chrome --disable-background-networking --enable-features=NetworkService,NetworkServiceInProcess --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=TranslateUI,BlinkGenPropertyTrees,ImprovedCookieControls,SameSiteByDefaultCookies,LazyFrameLoading --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --user-data-dir=/tmp/playwright_chromiumdev_profile-gnq6ei --remote-debugging-pipe --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --no-startup-window
<launched> pid=25
[pid=25][err] qemu-x86_64: Could not open '/lib64/ld-linux-x86-64.so.2': No such file or directory
=========================== logs ===========================
<launching> /ms-playwright/chromium-857950/chrome-linux/chrome --disable-background-networking --enable-features=NetworkService,NetworkServiceInProcess --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=TranslateUI,BlinkGenPropertyTrees,ImprovedCookieControls,SameSiteByDefaultCookies,LazyFrameLoading --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --user-data-dir=/tmp/playwright_chromiumdev_profile-gnq6ei --remote-debugging-pipe --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --no-startup-window
<launched> pid=25
[pid=25][err] qemu-x86_64: Could not open '/lib64/ld-linux-x86-64.so.2': No such file or directory
============================================================
Note: use DEBUG=pw:api environment variable to capture Playwright logs.
Error
    at Object.captureStackTrace (/usr/src/app/node_modules/playwright/lib/utils/stackTrace.js:48:19)
    at Connection.sendMessageToServer (/usr/src/app/node_modules/playwright/lib/client/connection.js:69:48)
    at Proxy.<anonymous> (/usr/src/app/node_modules/playwright/lib/client/channelOwner.js:64:61)
    at /usr/src/app/node_modules/playwright/lib/client/browserType.js:64:67
    at BrowserType._wrapApiCall (/usr/src/app/node_modules/playwright/lib/client/channelOwner.js:77:34)
    at BrowserType.launch (/usr/src/app/node_modules/playwright/lib/client/browserType.js:55:21)
    at /usr/src/app/test-a11y.js:47:64
    at step (/usr/src/app/test-a11y.js:33:23)
    at Object.next (/usr/src/app/test-a11y.js:14:53)
    at /usr/src/app/test-a11y.js:8:71

Node.js v18.16.0
SyntaxError: accessibility-results.json: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Object._readFile (/usr/src/app/node_modules/jsonfile/index.js:25:16)
    at async /usr/src/app/node_modules/@naturalcycles/json2html/dist/json2html.js:35:22
    at async /usr/src/app/node_modules/@naturalcycles/js-lib/dist/promise/pMap.js:80:42

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • eslint-7.25.0.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: ee72b8b6c5613d7cd6fb7f1f7b70ba20bd8c6821

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

Could not run it on MacBook M1 

% docker pull gcr.io/check-accessibility/check-accessibility:0.1
0.1: Pulling from check-accessibility/check-accessibility
345e3491a907: Pull complete
57671312ef6f: Pull complete
5e9250ddb7d0: Pull complete
745e7a973d60: Pull complete
ad3fdd7c0498: Pull complete
e10eae7066c1: Pull complete
de2452fc141a: Pull complete
b5c482232695: Pull complete
d6f4f9f04219: Pull complete
283efe117aa8: Pull complete
c0c37df15ecd: Pull complete
ef4fa4bbedc1: Pull complete
f874514b585c: Pull complete
Digest: sha256:c483be93ab590bbc314873c9c2e55cb08868ac0f373ed8d66fb5af4f29bfbe0f
Status: Downloaded newer image for gcr.io/check-accessibility/check-accessibility:0.1
gcr.io/check-accessibility/check-accessibility:0.1
% docker run -e URL=https://jsonplaceholder.typicode.com -v $(pwd)/results:/usr/src/app/results gcr.io/check-accessibility/check-accessibility:0.1
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
docker: Error response from daemon: error while creating mount source path '/Users/syedahmed/QA/TOOLS/508-A11Y/results': 
 % chmod -R 777 results
% docker run -e URL=https://jsonplaceholder.typicode.com -v $(pwd)/results:/usr/src/app/results gcr.io/check-accessibility/check-accessibility:0.1
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
internal/process/promises.js:213
        triggerUncaughtException(err, true /* fromPromise */);
        ^

browserContext.newPage: Protocol error (Target.createTarget): Browser closed.
==================== Browser output: ====================
[pid=31][err] [0428/010319.919038:ERROR:bus.cc(393)] Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
[pid=31][err] [0428/010319.928007:ERROR:file_path_watcher_linux.cc(316)] inotify_init() failed: Function not implemented (38)
[pid=31][err] Received signal 11 SEGV_MAPERR fffffb0000000008
[pid=31][err] #0 0x0040062c9c49 base::debug::CollectStackTrace()
[pid=31][err] #1 0x004006237ab3 [0428/010320.069085:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 1 time(s)
[pid=31][err] base::debug::StackTrace::StackTrace()
[pid=31][err] #2 0x0040062c97f0 [0428/010320.104564:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 2 time(s)
[pid=31][err] base::debug::(anonymous namespace)::StackDumpSignalHandler()
[pid=31][err] #3 0x00400d9873c0 [0428/010320.110249:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 3 time(s)
[pid=31][err] [0428/010320.119836:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 4 time(s)
[pid=31][err] [0428/010320.127774:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 5 time(s)
[pid=31][err] <unknown>
[pid=31][err] #4 0x00400d9357b2 [0428/010320.149439:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 6 time(s)
[pid=31][err] [0428/010320.156745:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 7 time(s)
[pid=31][err] <unknown>
[pid=31][err] #5 0x00400d93861b [0428/010320.170575:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 8 time(s)
[pid=31][err] <unknown>
[pid=31][err] #6 0x00400d943d37 <unknown>
[pid=31][err] #7 0x00400f2a28b8 _dl_catch_exception
[pid=31][err] #8 0x00400d9435fa [0428/010320.236234:WARNING:gpu_process_host.cc(1296)] The GPU process has crashed 9 time(s)
[pid=31][err] <unknown>
[pid=31][err] #9 0x00400d96b34c <unknown>
[pid=31][err] #10 0x00400f2a28b8 _dl_catch_exception
[pid=31][err] #11 0x00400f2a2983 _dl_catch_error
[pid=31][err] #12 0x00400d96bb59 <unknown>
[pid=31][err] #13 0x00400d96b3da dlopen
[pid=31][err] #14 0x004003b9eba0 LibUdev0Loader::Load()
[pid=31][err] #15 0x004003b9db44 device::Udev1Loader::Init()
[pid=31][err] #16 0x004003b9dba9 device::UdevLoader::Get()
[pid=31][err] #17 0x004003b9d279 device::udev_new()
[pid=31][err] #18 0x004003b9df37 device::UdevWatcher::StartWatching()
[pid=31][err] #19 0x004003c4fb19 media::DeviceMonitorLinux::BlockingTaskRunnerHelper::Initialize()
[pid=31][err] #20 0x00400628c008 base::TaskAnnotator::RunTask()
[pid=31][err] #21 0x0040062a3047 base::internal::TaskTracker::RunContinueOnShutdown()
[pid=31][err] #22 0x0040062a2b6a base::internal::TaskTracker::RunTask()
[pid=31][err] #23 0x0040062d9f1c base::internal::TaskTrackerPosix::RunTask()
[pid=31][err] #24 0x0040062a2797 base::internal::TaskTracker::RunAndPopNextTask()
[pid=31][err] #25 0x0040062aebb6 base::internal::WorkerThread::RunWorker()
[pid=31][err] #26 0x0040062ae8bd base::internal::WorkerThread::RunPooledWorker()
[pid=31][err] #27 0x0040062da76f base::(anonymous namespace)::ThreadFunc()
[pid=31][err] #28 0x00400d97b609 start_thread
[pid=31][err] #29 0x00400f261293 clone
[pid=31][err]   r8: 00000000effffef5  r9: 0000000070000022 r10: 000000401b475000 r11: 0000000000000032
[pid=31][err]  r12: 000023300042c000 r13: 000000006ffffeff r14: 00000040131db868 r15: 000000006ffffe35
[pid=31][err]   di: 000000006fffffff  si: 0000000000000029  bp: 00000040131db790  bx: 000000006ffffdff
[pid=31][err]   dx: 0000000000000000  ax: fffffb0000000000  cx: 000023300042c040  sp: 00000040131db640
[pid=31][err]   ip: 000000400d9357b2 efl: 0000000000000286 cgf: 002b000000000033 erf: 0000000000000004
[pid=31][err]  trp: ffffffffffffffff msk: 0000000000000000 cr2: fffffb0000000008
[pid=31][err] [end of stack trace]
[pid=31][err] Calling _exit(1). Core file will not be generated.
Error
    at Object.captureStackTrace (/usr/src/app/node_modules/playwright/lib/utils/stackTrace.js:48:19)
    at Connection.sendMessageToServer (/usr/src/app/node_modules/playwright/lib/client/connection.js:69:48)
    at Proxy.<anonymous> (/usr/src/app/node_modules/playwright/lib/client/channelOwner.js:64:61)
    at /usr/src/app/node_modules/playwright/lib/client/browserContext.js:119:52
    at ChromiumBrowserContext._wrapApiCall (/usr/src/app/node_modules/playwright/lib/client/channelOwner.js:77:34)
    at ChromiumBrowserContext.newPage (/usr/src/app/node_modules/playwright/lib/client/browserContext.js:116:21)
    at ChromiumBrowser.newPage (/usr/src/app/node_modules/playwright/lib/client/browser.js:58:36)
SyntaxError: accessibility-results.json: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Object._readFile (/usr/src/app/node_modules/jsonfile/index.js:25:16)
    at async /usr/src/app/node_modules/@naturalcycles/json2html/dist/json2html.js:35:22
    at async /usr/src/app/node_modules/@naturalcycles/js-lib/dist/promise/pMap.js:80:42

CVE-2021-32640 (Medium) detected in ws-7.4.5.tgz

CVE-2021-32640 - Medium Severity Vulnerability

Vulnerable Library - ws-7.4.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws/package.json

Dependency Hierarchy:

  • playwright-1.10.0.tgz (Root Library)
    • ws-7.4.5.tgz (Vulnerable Library)

Found in HEAD commit: ee72b8b6c5613d7cd6fb7f1f7b70ba20bd8c6821

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (playwright): 1.11.0-1620262237000

Step up your Open Source Security Game with Mend here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • eslint-7.25.0.tgz (Root Library)
    • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: ee72b8b6c5613d7cd6fb7f1f7b70ba20bd8c6821

Found in base branch: main

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • eslint-7.25.0.tgz (Root Library)
    • strip-ansi-6.0.0.tgz
      • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ee72b8b6c5613d7cd6fb7f1f7b70ba20bd8c6821

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (eslint): 7.26.0

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.