Class: Dependabot::SecurityAdvisory

Inherits:
Object
  • Object
show all
Defined in:
lib/dependabot/security_advisory.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(dependency_name:, package_manager:, vulnerable_versions: [], safe_versions: []) ⇒ SecurityAdvisory

Returns a new instance of SecurityAdvisory.


10
11
12
13
14
15
16
17
18
19
# File 'lib/dependabot/security_advisory.rb', line 10

def initialize(dependency_name:, package_manager:,
               vulnerable_versions: [], safe_versions: [])
  @dependency_name = dependency_name
  @package_manager = package_manager
  @vulnerable_versions = vulnerable_versions || []
  @safe_versions = safe_versions || []

  convert_string_version_requirements
  check_version_requirements
end

Instance Attribute Details

#dependency_nameObject (readonly)

Returns the value of attribute dependency_name


7
8
9
# File 'lib/dependabot/security_advisory.rb', line 7

def dependency_name
  @dependency_name
end

#package_managerObject (readonly)

Returns the value of attribute package_manager


7
8
9
# File 'lib/dependabot/security_advisory.rb', line 7

def package_manager
  @package_manager
end

#safe_versionsObject (readonly)

Returns the value of attribute safe_versions


7
8
9
# File 'lib/dependabot/security_advisory.rb', line 7

def safe_versions
  @safe_versions
end

#vulnerable_versionsObject (readonly)

Returns the value of attribute vulnerable_versions


7
8
9
# File 'lib/dependabot/security_advisory.rb', line 7

def vulnerable_versions
  @vulnerable_versions
end

Instance Method Details

#affects_version?(version) ⇒ Boolean

Check if the version is affected by the advisory

Parameters:

  • version (Dependabot::<Package Manager>::Version)

    version class

Returns:

  • (Boolean)

71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/dependabot/security_advisory.rb', line 71

def affects_version?(version)
  return false unless version_class.correct?(version)
  return false unless [*safe_versions, *vulnerable_versions].any?

  version = version_class.new(version)

  # If version is known safe for this advisory, it's not vulnerable
  return false if safe_versions.any? { |r| r.satisfied_by?(version) }

  # If in the vulnerable range and not known safe, it's vulnerable
  return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }

  # If a vulnerable range present but not met, it's not vulnerable
  return false if vulnerable_versions.any?

  # Finally, if no vulnerable range provided, but a safe range provided,
  # and this versions isn't included (checked earler), it's vulnerable
  safe_versions.any?
end

#fixed_by?(dependency) ⇒ Boolean

Check if the advisory is fixed by the updated dependency

Parameters:

Returns:

  • (Boolean)

50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/dependabot/security_advisory.rb', line 50

def fixed_by?(dependency)
  # Handle case mismatch between the security advisory and parsed name
  return false unless dependency_name.downcase == dependency.name.downcase
  return false unless package_manager == dependency.package_manager
  # TODO: Support no previous version to the same level as dependency graph
  # and security alerts. We currently ignore dependency updates without a
  # previous version because we don't know if the dependency was vulerable.
  return false unless dependency.previous_version
  return false unless version_class.correct?(dependency.previous_version)

  # Ignore deps that weren't previously vulnerable
  return false unless affects_version?(dependency.previous_version)

  # Select deps that are now fixed
  !affects_version?(dependency.version)
end

#vulnerable?(version) ⇒ Boolean

Returns:

  • (Boolean)

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# File 'lib/dependabot/security_advisory.rb', line 21

def vulnerable?(version)
  unless version.is_a?(version_class) || version.instance_of?(Gem::Version)
    raise ArgumentError, "must be a #{version_class}"
  end

  in_safe_range = safe_versions.
                  any? { |r| r.satisfied_by?(version) }

  # If version is known safe for this advisory, it's not vulnerable
  return false if in_safe_range

  in_vulnerable_range = vulnerable_versions.
                        any? { |r| r.satisfied_by?(version) }

  # If in the vulnerable range and not known safe, it's vulnerable
  return true if in_vulnerable_range

  # If a vulnerable range present but not met, it's not vulnerable
  return false if vulnerable_versions.any?

  # Finally, if no vulnerable range provided, but a safe range provided,
  # and this versions isn't included (checked earlier), it's vulnerable
  safe_versions.any?
end