feat(core): Security audit (#5034)

* ✨ Implement security audit

* ⚡ Use logger

* 🧪 Fix test

* ⚡ Switch logger with stdout

* 🎨 Set new logo

* ⚡ Fill out Public API schema

* ✏️ Fix typo

* ⚡ Break dependency cycle

* ⚡ Add security settings values

* 🧪 Test security settings

* ⚡ Add publicly accessible instance warning

* ⚡ Add metric to CLI command

* ✏️ Fix typo

* 🔥 Remove unneeded path alias

* 📘 Add type import

* 🔥 Remove inferrable output type

* ⚡ Set description at correct level

* ⚡ Rename constant for consistency

* ⚡ Sort URLs

* ⚡ Rename local var

* ⚡ Shorten name

* ✏️ Improve phrasing

* ⚡ Improve naming

* ⚡ Fix casing

* ✏️ Add docline

* ✏️ Relocate comment

* ⚡ Add singular/plurals

* 🔥 Remove unneeded await

* ✏️ Improve test description

* ⚡ Optimize with sets

* ⚡ Adjust post master merge

* ✏️ Improve naming

* ⚡ Adjust in spy

* 🧪 Fix outdated instance test

* 🧪 Make diagnostics check consistent

* ⚡ Refactor `getAllExistingCreds`

* ⚡ Create helper `getNodeTypes`

* 🐛 Fix `InternalHooksManager` call

* 🚚 Rename `execution` to `nodes` risk

* ⚡ Add options to CLI command

* ⚡ Make days configurable

* :revert: Undo changes to `BaseCommand`

* ⚡ Improve CLI command UX

* ⚡ Change no-report return value

Empty array to trigger empty state on FE.

* ⚡ Add empty check to `reportInstanceRisk`

* 🧪 Extend Jest `expect`

* 📘 Augment `jest.Matchers`

* 🧪 Set extend as setup file

* 🔧 Override lint rule for `.d.ts`

* ⚡ Use new matcher

* ⚡ Update check

* 📘 Improve typings

* ⚡ Adjust instance risk check

* ✏️ Rename `execution` → `nodes` in Public API schema

* ✏️ Add clarifying comment

* ✏️ Fix typo

* ⚡ Validate categories in CLI command

* ✏️ Improve naming

* ✏️ Make audit reference consistent

* 📘 Fix typing

* ⚡ Use `finally` in CLI command

packages/cli/test/integration/audit/credentials.risk.test.ts

@@ -0,0 +1,225 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import config from '@/config';
+import { audit } from '@/audit';
+import { CREDENTIALS_REPORT } from '@/audit/constants';
+import { getRiskSection } from './utils';
+import * as testDb from '../shared/testDb';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow', 'Credentials', 'Execution'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report credentials not in any use', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+			},
+		],
+	};
+
+	await Promise.all([
+		Db.collections.Credentials.save(credentialDetails),
+		Db.collections.Workflow.save(workflowDetails),
+	]);
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ANY_USE,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: '1',
+		name: 'My Slack Credential',
+	});
+});
+
+test('should report credentials not in active use', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+			},
+		],
+	};
+
+	await Db.collections.Workflow.save(workflowDetails);
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_IN_ACTIVE_USE,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: credential.id,
+		name: 'My Slack Credential',
+	});
+});
+
+test('should report credential in not recently executed workflow', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				credentials: {
+					slackApi: {
+						id: credential.id,
+						name: credential.name,
+					},
+				},
+			},
+		],
+	};
+
+	const workflow = await Db.collections.Workflow.save(workflowDetails);
+
+	const date = new Date();
+	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') - 1);
+
+	await Db.collections.Execution.save({
+		data: '[]',
+		finished: true,
+		mode: 'manual',
+		startedAt: date,
+		stoppedAt: date,
+		workflowData: workflow,
+		workflowId: workflow.id,
+		waitTill: null,
+	});
+
+	const testAudit = await audit(['credentials']);
+
+	const section = getRiskSection(
+		testAudit,
+		CREDENTIALS_REPORT.RISK,
+		CREDENTIALS_REPORT.SECTIONS.CREDS_NOT_RECENTLY_EXECUTED,
+	);
+
+	expect(section.location).toHaveLength(1);
+	expect(section.location[0]).toMatchObject({
+		id: credential.id,
+		name: credential.name,
+	});
+});
+
+test('should not report credentials in recently executed workflow', async () => {
+	const credentialDetails = {
+		name: 'My Slack Credential',
+		data: 'U2FsdGVkX18WjITBG4IDqrGB1xE/uzVNjtwDAG3lP7E=',
+		type: 'slackApi',
+		nodesAccess: [{ nodeType: 'n8n-nodes-base.slack', date: '2022-12-21T11:23:00.561Z' }],
+	};
+
+	const credential = await Db.collections.Credentials.save(credentialDetails);
+
+	const workflowDetails = {
+		name: 'My Test Workflow',
+		active: true,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.slack',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				credentials: {
+					slackApi: {
+						id: credential.id,
+						name: credential.name,
+					},
+				},
+			},
+		],
+	};
+
+	const workflow = await Db.collections.Workflow.save(workflowDetails);
+
+	const date = new Date();
+	date.setDate(date.getDate() - config.getEnv('security.audit.daysAbandonedWorkflow') + 1);
+
+	await Db.collections.Execution.save({
+		data: '[]',
+		finished: true,
+		mode: 'manual',
+		startedAt: date,
+		stoppedAt: date,
+		workflowData: workflow,
+		workflowId: workflow.id,
+		waitTill: null,
+	});
+
+	const testAudit = await audit(['credentials']);
+
+	expect(testAudit).toBeEmptyArray();
+});

packages/cli/test/integration/audit/database.risk.test.ts

@@ -0,0 +1,187 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import { audit } from '@/audit';
+import {
+	DATABASE_REPORT,
+	SQL_NODE_TYPES,
+	SQL_NODE_TYPES_WITH_QUERY_PARAMS,
+} from '@/audit/constants';
+import { getRiskSection, saveManualTriggerWorkflow } from './utils';
+import * as testDb from '../shared/testDb';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report expressions in queries', async () => {
+	const map = [...SQL_NODE_TYPES].reduce<{ [nodeType: string]: string }>((acc, cur) => {
+		return (acc[cur] = uuid()), acc;
+	}, {});
+
+	const promises = Object.entries(map).map(async ([nodeType, nodeId]) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: false,
+			connections: {},
+			nodeTypes: {},
+			nodes: [
+				{
+					id: nodeId,
+					name: 'My Node',
+					type: nodeType,
+					parameters: {
+						operation: 'executeQuery',
+						query: '=SELECT * FROM {{ $json.table }}',
+						additionalFields: {},
+					},
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['database']);
+
+	const section = getRiskSection(
+		testAudit,
+		DATABASE_REPORT.RISK,
+		DATABASE_REPORT.SECTIONS.EXPRESSIONS_IN_QUERIES,
+	);
+
+	expect(section.location).toHaveLength(SQL_NODE_TYPES.size);
+
+	for (const loc of section.location) {
+		if (loc.kind === 'node') {
+			expect(loc.nodeId).toBe(map[loc.nodeType]);
+		}
+	}
+});
+
+test('should report expressions in query params', async () => {
+	const map = [...SQL_NODE_TYPES_WITH_QUERY_PARAMS].reduce<{ [nodeType: string]: string }>(
+		(acc, cur) => {
+			return (acc[cur] = uuid()), acc;
+		},
+		{},
+	);
+
+	const promises = Object.entries(map).map(async ([nodeType, nodeId]) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: false,
+			connections: {},
+			nodeTypes: {},
+			nodes: [
+				{
+					id: nodeId,
+					name: 'My Node',
+					type: nodeType,
+					parameters: {
+						operation: 'executeQuery',
+						query: 'SELECT * FROM users WHERE id = $1;',
+						additionalFields: {
+							queryParams: '={{ $json.userId }}',
+						},
+					},
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['database']);
+
+	const section = getRiskSection(
+		testAudit,
+		DATABASE_REPORT.RISK,
+		DATABASE_REPORT.SECTIONS.EXPRESSIONS_IN_QUERY_PARAMS,
+	);
+
+	expect(section.location).toHaveLength(SQL_NODE_TYPES_WITH_QUERY_PARAMS.size);
+
+	for (const loc of section.location) {
+		if (loc.kind === 'node') {
+			expect(loc.nodeId).toBe(map[loc.nodeType]);
+		}
+	}
+});
+
+test('should report unused query params', async () => {
+	const map = [...SQL_NODE_TYPES_WITH_QUERY_PARAMS].reduce<{ [nodeType: string]: string }>(
+		(acc, cur) => {
+			return (acc[cur] = uuid()), acc;
+		},
+		{},
+	);
+
+	const promises = Object.entries(map).map(async ([nodeType, nodeId]) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: false,
+			connections: {},
+			nodeTypes: {},
+			nodes: [
+				{
+					id: nodeId,
+					name: 'My Node',
+					type: nodeType,
+					parameters: {
+						operation: 'executeQuery',
+						query: 'SELECT * FROM users WHERE id = 123;',
+					},
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['database']);
+
+	const section = getRiskSection(
+		testAudit,
+		DATABASE_REPORT.RISK,
+		DATABASE_REPORT.SECTIONS.UNUSED_QUERY_PARAMS,
+	);
+
+	expect(section.location).toHaveLength(SQL_NODE_TYPES_WITH_QUERY_PARAMS.size);
+
+	for (const loc of section.location) {
+		if (loc.kind === 'node') {
+			expect(loc.nodeId).toBe(map[loc.nodeType]);
+		}
+	}
+});
+
+test('should not report non-database node', async () => {
+	await saveManualTriggerWorkflow();
+
+	const testAudit = await audit(['database']);
+
+	expect(testAudit).toBeEmptyArray();
+});

packages/cli/test/integration/audit/filesystem.risk.test.ts

@@ -0,0 +1,76 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import { audit } from '@/audit';
+import { FILESYSTEM_INTERACTION_NODE_TYPES, FILESYSTEM_REPORT } from '@/audit/constants';
+import { getRiskSection, saveManualTriggerWorkflow } from './utils';
+import * as testDb from '../shared/testDb';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report filesystem interaction nodes', async () => {
+	const map = [...FILESYSTEM_INTERACTION_NODE_TYPES].reduce<{ [nodeType: string]: string }>(
+		(acc, cur) => {
+			return (acc[cur] = uuid()), acc;
+		},
+		{},
+	);
+
+	const promises = Object.entries(map).map(async ([nodeType, nodeId]) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: false,
+			connections: {},
+			nodeTypes: {},
+			nodes: [
+				{
+					id: nodeId,
+					name: 'My Node',
+					type: nodeType,
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['filesystem']);
+
+	const section = getRiskSection(
+		testAudit,
+		FILESYSTEM_REPORT.RISK,
+		FILESYSTEM_REPORT.SECTIONS.FILESYSTEM_INTERACTION_NODES,
+	);
+
+	expect(section.location).toHaveLength(FILESYSTEM_INTERACTION_NODE_TYPES.size);
+
+	for (const loc of section.location) {
+		if (loc.kind === 'node') {
+			expect(loc.nodeId).toBe(map[loc.nodeType]);
+		}
+	}
+});
+
+test('should not report non-filesystem-interaction node', async () => {
+	await saveManualTriggerWorkflow();
+
+	const testAudit = await audit(['filesystem']);
+
+	expect(testAudit).toBeEmptyArray();
+});

packages/cli/test/integration/audit/instance.risk.test.ts

@@ -0,0 +1,255 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import { audit } from '@/audit';
+import { INSTANCE_REPORT, WEBHOOK_VALIDATOR_NODE_TYPES } from '@/audit/constants';
+import {
+	getRiskSection,
+	saveManualTriggerWorkflow,
+	MOCK_09990_N8N_VERSION,
+	simulateOutdatedInstanceOnce,
+	simulateUpToDateInstance,
+} from './utils';
+import * as testDb from '../shared/testDb';
+import { toReportTitle } from '@/audit/utils';
+import config from '@/config';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+
+	simulateUpToDateInstance();
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report webhook lacking authentication', async () => {
+	const targetNodeId = uuid();
+
+	const details = {
+		name: 'My Test Workflow',
+		active: true,
+		nodeTypes: {},
+		connections: {},
+		nodes: [
+			{
+				parameters: {
+					path: uuid(),
+					options: {},
+				},
+				id: targetNodeId,
+				name: 'Webhook',
+				type: 'n8n-nodes-base.webhook',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				webhookId: uuid(),
+			},
+		],
+	};
+
+	await Db.collections.Workflow.save(details);
+
+	const testAudit = await audit(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS,
+	);
+
+	if (!section.location) {
+		fail('Expected section to have locations');
+	}
+
+	expect(section.location).toHaveLength(1);
+
+	expect(section.location[0].nodeId).toBe(targetNodeId);
+});
+
+test('should not report webhooks having basic or header auth', async () => {
+	const promises = ['basicAuth', 'headerAuth'].map(async (authType) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: true,
+			nodeTypes: {},
+			connections: {},
+			nodes: [
+				{
+					parameters: {
+						path: uuid(),
+						authentication: authType,
+						options: {},
+					},
+					id: uuid(),
+					name: 'Webhook',
+					type: 'n8n-nodes-base.webhook',
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+					webhookId: uuid(),
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['instance']);
+
+	const report = testAudit?.[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should not report webhooks validated by direct children', async () => {
+	const promises = [...WEBHOOK_VALIDATOR_NODE_TYPES].map(async (nodeType) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: true,
+			nodeTypes: {},
+			nodes: [
+				{
+					parameters: {
+						path: uuid(),
+						options: {},
+					},
+					id: uuid(),
+					name: 'Webhook',
+					type: 'n8n-nodes-base.webhook',
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+					webhookId: uuid(),
+				},
+				{
+					id: uuid(),
+					name: 'My Node',
+					type: nodeType,
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+			connections: {
+				Webhook: {
+					main: [
+						[
+							{
+								node: 'My Node',
+								type: 'main',
+								index: 0,
+							},
+						],
+					],
+				},
+			},
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['instance']);
+
+	const report = testAudit?.[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should not report non-webhook node', async () => {
+	await saveManualTriggerWorkflow();
+
+	const testAudit = await audit(['instance']);
+
+	const report = testAudit?.[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should report outdated instance when outdated', async () => {
+	simulateOutdatedInstanceOnce();
+
+	const testAudit = await audit(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE,
+	);
+
+	if (!section.nextVersions) {
+		fail('Expected section to have next versions');
+	}
+
+	expect(section.nextVersions).toHaveLength(1);
+
+	expect(section.nextVersions[0].name).toBe(MOCK_09990_N8N_VERSION.name);
+});
+
+test('should not report outdated instance when up to date', async () => {
+	const testAudit = await audit(['instance']);
+
+	const report = testAudit?.[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE);
+	}
+});
+
+test('should report security settings', async () => {
+	config.set('diagnostics.enabled', true);
+
+	const testAudit = await audit(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.SECURITY_SETTINGS,
+	);
+
+	expect(section.settings).toMatchObject({
+		features: {
+			communityPackagesEnabled: true,
+			versionNotificationsEnabled: true,
+			templatesEnabled: true,
+			publicApiEnabled: false,
+			userManagementEnabled: true,
+		},
+		auth: {
+			authExcludeEndpoints: 'none',
+			basicAuthActive: false,
+			jwtAuthActive: false,
+		},
+		nodes: { nodesExclude: 'none', nodesInclude: 'none' },
+		telemetry: { diagnosticsEnabled: true },
+	});
+});

packages/cli/test/integration/audit/nodes.risk.test.ts

@@ -0,0 +1,99 @@
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import { audit } from '@/audit';
+import * as packageModel from '@/CommunityNodes/packageModel';
+import { OFFICIAL_RISKY_NODE_TYPES, NODES_REPORT } from '@/audit/constants';
+import { getRiskSection, MOCK_PACKAGE, saveManualTriggerWorkflow } from './utils';
+import * as testDb from '../shared/testDb';
+import { toReportTitle } from '@/audit/utils';
+
+let testDbName = '';
+
+beforeAll(async () => {
+	const initResult = await testDb.init();
+	testDbName = initResult.testDbName;
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow'], testDbName);
+});
+
+afterAll(async () => {
+	await testDb.terminate(testDbName);
+});
+
+test('should report risky official nodes', async () => {
+	const map = [...OFFICIAL_RISKY_NODE_TYPES].reduce<{ [nodeType: string]: string }>((acc, cur) => {
+		return (acc[cur] = uuid()), acc;
+	}, {});
+
+	const promises = Object.entries(map).map(async ([nodeType, nodeId]) => {
+		const details = {
+			name: 'My Test Workflow',
+			active: false,
+			connections: {},
+			nodeTypes: {},
+			nodes: [
+				{
+					id: nodeId,
+					name: 'My Node',
+					type: nodeType,
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+		};
+
+		return Db.collections.Workflow.save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await audit(['nodes']);
+
+	const section = getRiskSection(
+		testAudit,
+		NODES_REPORT.RISK,
+		NODES_REPORT.SECTIONS.OFFICIAL_RISKY_NODES,
+	);
+
+	expect(section.location).toHaveLength(OFFICIAL_RISKY_NODE_TYPES.size);
+
+	for (const loc of section.location) {
+		if (loc.kind === 'node') {
+			expect(loc.nodeId).toBe(map[loc.nodeType]);
+		}
+	}
+});
+
+test('should not report non-risky official nodes', async () => {
+	await saveManualTriggerWorkflow();
+
+	const testAudit = await audit(['nodes']);
+
+	const report = testAudit?.[toReportTitle('nodes')];
+
+	if (!report) return;
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(NODES_REPORT.SECTIONS.OFFICIAL_RISKY_NODES);
+	}
+});
+
+test('should report community nodes', async () => {
+	jest.spyOn(packageModel, 'getAllInstalledPackages').mockResolvedValueOnce(MOCK_PACKAGE);
+
+	const testAudit = await audit(['nodes']);
+
+	const section = getRiskSection(
+		testAudit,
+		NODES_REPORT.RISK,
+		NODES_REPORT.SECTIONS.COMMUNITY_NODES,
+	);
+
+	expect(section.location).toHaveLength(1);
+
+	if (section.location[0].kind === 'community') {
+		expect(section.location[0].nodeType).toBe(MOCK_PACKAGE[0].installedNodes[0].type);
+	}
+});

packages/cli/test/integration/audit/utils.ts

@@ -0,0 +1,130 @@
+import nock from 'nock';
+import config from '@/config';
+import { v4 as uuid } from 'uuid';
+import * as Db from '@/Db';
+import { toReportTitle } from '@/audit/utils';
+import * as constants from '@/constants';
+import type { Risk } from '@/audit/types';
+import type { InstalledNodes } from '@/databases/entities/InstalledNodes';
+import type { InstalledPackages } from '@/databases/entities/InstalledPackages';
+
+type GetSectionKind<C extends Risk.Category> = C extends 'instance'
+	? Risk.InstanceSection
+	: Risk.StandardSection;
+
+export function getRiskSection<C extends Risk.Category>(
+	testAudit: Risk.Audit | never[],
+	riskCategory: C,
+	sectionTitle: string,
+): GetSectionKind<C> {
+	if (Array.isArray(testAudit)) {
+		throw new Error('Expected test audit not to be an array');
+	}
+
+	const report = testAudit[toReportTitle(riskCategory)];
+
+	if (!report) throw new Error(`Expected risk "${riskCategory}"`);
+
+	for (const section of report.sections) {
+		if (section.title === sectionTitle) {
+			return section as GetSectionKind<C>;
+		}
+	}
+
+	throw new Error(`Expected section "${sectionTitle}" for risk "${riskCategory}"`);
+}
+
+export async function saveManualTriggerWorkflow() {
+	const details = {
+		id: '1',
+		name: 'My Test Workflow',
+		active: false,
+		connections: {},
+		nodeTypes: {},
+		nodes: [
+			{
+				id: uuid(),
+				name: 'My Node',
+				type: 'n8n-nodes-base.manualTrigger',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+			},
+		],
+	};
+
+	return Db.collections.Workflow.save(details);
+}
+
+export const MOCK_09990_N8N_VERSION = {
+	name: '0.999.0',
+	nodes: [
+		{
+			name: 'n8n-nodes-base.testNode',
+			displayName: 'Test Node',
+			icon: 'file:testNode.svg',
+			defaults: {
+				name: 'Test Node',
+			},
+		},
+	],
+	createdAt: '2022-11-11T11:11:11.111Z',
+	description:
+		'Includes <strong>new nodes</strong>, <strong>node enhancements</strong>, <strong>core functionality</strong> and <strong>bug fixes</strong>',
+	documentationUrl: 'https://docs.n8n.io/reference/release-notes/#n8n09990',
+	hasBreakingChange: false,
+	hasSecurityFix: false,
+	hasSecurityIssue: false,
+	securityIssueFixVersion: null,
+};
+
+export const MOCK_01110_N8N_VERSION = {
+	name: '0.111.0',
+	nodes: [],
+	createdAt: '2022-01-01T00:00:00.000Z',
+	description:
+		'Includes <strong>new nodes</strong>, <strong>node enhancements</strong>, <strong>core functionality</strong> and <strong>bug fixes</strong>',
+	documentationUrl: 'https://docs.n8n.io/reference/release-notes/#n8n01110',
+	hasBreakingChange: false,
+	hasSecurityFix: false,
+	hasSecurityIssue: false,
+	securityIssueFixVersion: null,
+};
+
+export const MOCK_PACKAGE: InstalledPackages[] = [
+	{
+		createdAt: new Date(),
+		updatedAt: new Date(),
+		packageName: 'n8n-nodes-test',
+		installedVersion: '1.1.2',
+		authorName: 'test',
+		authorEmail: 'test@test.com',
+		setUpdateDate: () => {},
+		installedNodes: [
+			{
+				name: 'My Test Node',
+				type: 'myTestNode',
+				latestVersion: '1',
+			} as InstalledNodes,
+		],
+	},
+];
+
+export function simulateOutdatedInstanceOnce(versionName = MOCK_01110_N8N_VERSION.name) {
+	const baseUrl = config.getEnv('versionNotifications.endpoint') + '/';
+
+	jest
+		.spyOn(constants, 'getN8nPackageJson')
+		.mockReturnValueOnce({ name: 'n8n', version: versionName });
+
+	nock(baseUrl).get(versionName).reply(200, [MOCK_01110_N8N_VERSION, MOCK_09990_N8N_VERSION]);
+}
+
+export function simulateUpToDateInstance(versionName = MOCK_09990_N8N_VERSION.name) {
+	const baseUrl = config.getEnv('versionNotifications.endpoint') + '/';
+
+	jest
+		.spyOn(constants, 'getN8nPackageJson')
+		.mockReturnValueOnce({ name: 'n8n', version: versionName });
+
+	nock(baseUrl).persist().get(versionName).reply(200, [MOCK_09990_N8N_VERSION]);
+}