SONAR-13155 add command to run yarn security audit

3 files changed, 20 insertions, 2 deletions

diff --git a/build.gradle b/build.gradle
index ce1b8e8dabe..cdb350f6362 100644
--- a/build.gradle
+++ b/build.gradle
@@ -415,7 +415,7 @@ subprojects {
 
     node {
       version = '10.15.3'
-      yarnVersion = '1.15.2'
+      yarnVersion = '1.22.0'
       download = true
     }
   }
@@ -548,7 +548,7 @@ dependencyUpdates {
     boolean rejected = ['alpha', 'beta', 'rc', 'cr', 'm', 'preview', 'jre12'].any { qualifier ->
       it.candidate.version ==~ /(?i).*[.-]${qualifier}[.\d-]*/
     }
- 
+
     // Exclude upgrades on new major versions :
     //   com.hazelcast:hazelcast [3.12.3 -> 4.0.0]
     rejected |= !it.candidate.version.substring(0, 2).equals(it.currentVersion.substring(0, 2))
diff --git a/server/sonar-docs/build.gradle b/server/sonar-docs/build.gradle
index d072b8fe25e..cea99b44015 100644
--- a/server/sonar-docs/build.gradle
+++ b/server/sonar-docs/build.gradle
@@ -80,6 +80,15 @@ clean.dependsOn(cleanYarn_run)
   dependsOn(yarn)
 }
 
+// Check for known vulnerabilities
+yarn_audit {
+  inputs.file('package.json')
+  outputs.cacheIf { false }
+  args = ['--groups', 'dependencies', '--level', 'high']
+  ignoreExitValue = true
+  dependsOn(yarn)
+}
+
 task zip(type: Zip) {
   def archiveDir = "$version"
   duplicatesStrategy DuplicatesStrategy.EXCLUDE
diff --git a/server/sonar-web/build.gradle b/server/sonar-web/build.gradle
index 1a0b4e76deb..7949528eb51 100644
--- a/server/sonar-web/build.gradle
+++ b/server/sonar-web/build.gradle
@@ -42,6 +42,15 @@ build.dependsOn(yarn_run)
   dependsOn(yarn)
 }
 
+// Check for known vulnerabilities
+yarn_audit {
+  inputs.file('package.json')
+  outputs.cacheIf { false }
+  args = ['--groups', 'dependencies', '--level', 'high']
+  ignoreExitValue = true
+  dependsOn(yarn)
+}
+
 def sources = fileTree(dir: "src") + fileTree(dir: "scripts") + fileTree(dir: "config")
 
 task licenseCheckWeb(type: com.hierynomus.gradle.license.tasks.LicenseCheck) {