Class: Dependabot::SecurityAdvisory

Inherits:

Object

• Object
• Dependabot::SecurityAdvisory

Extended by:

T::Sig

Defined in:

lib/dependabot/security_advisory.rb

Instance Attribute Summary

• #dependency_name ⇒ Object readonly

  Returns the value of attribute dependency_name.

• #package_manager ⇒ Object readonly

  Returns the value of attribute package_manager.

• #safe_versions ⇒ Object readonly

  Returns the value of attribute safe_versions.

• #vulnerable_version_strings ⇒ Object readonly

  Returns the value of attribute vulnerable_version_strings.

• #vulnerable_versions ⇒ Object readonly

  Returns the value of attribute vulnerable_versions.

Instance Method Summary

• #affects_version?(version) ⇒ Boolean
• #fixed_by?(dependency) ⇒ Boolean
• #initialize(dependency_name:, package_manager:, vulnerable_versions: [], safe_versions: []) ⇒ SecurityAdvisory constructor

  A new instance of SecurityAdvisory.

• #vulnerable?(version) ⇒ Boolean

Constructor Details

#initialize(dependency_name:, package_manager:, vulnerable_versions: [], safe_versions: []) ⇒ SecurityAdvisory

Returns a new instance of SecurityAdvisory.

# File 'lib/dependabot/security_advisory.rb', line 35

def initialize(
  dependency_name:,
  package_manager:,
  vulnerable_versions: [],
  safe_versions: []
)
  @dependency_name = dependency_name
  @package_manager = package_manager
  @vulnerable_version_strings = T.let(vulnerable_versions || [], T::Array[T.any(String, Dependabot::Requirement)])
  @vulnerable_versions = T.let([], T::Array[Dependabot::Requirement])
  @safe_versions = T.let([], T::Array[Dependabot::Requirement])

  convert_string_version_requirements(vulnerable_version_strings, safe_versions || [])
  check_version_requirements
end

Instance Attribute Details

#dependency_name ⇒ Object (readonly)

Returns the value of attribute dependency_name.

# File 'lib/dependabot/security_advisory.rb', line 12

def dependency_name
  @dependency_name
end

#package_manager ⇒ Object (readonly)

Returns the value of attribute package_manager.

# File 'lib/dependabot/security_advisory.rb', line 15

def package_manager
  @package_manager
end

#safe_versions ⇒ Object (readonly)

Returns the value of attribute safe_versions.

# File 'lib/dependabot/security_advisory.rb', line 21

def safe_versions
  @safe_versions
end

#vulnerable_version_strings ⇒ Object (readonly)

Returns the value of attribute vulnerable_version_strings.

# File 'lib/dependabot/security_advisory.rb', line 24

def vulnerable_version_strings
  @vulnerable_version_strings
end

#vulnerable_versions ⇒ Object (readonly)

Returns the value of attribute vulnerable_versions.

# File 'lib/dependabot/security_advisory.rb', line 18

def vulnerable_versions
  @vulnerable_versions
end

Instance Method Details

#affects_version?(version) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/security_advisory.rb', line 103

def affects_version?(version)
  return false unless version_class.correct?(version)
  return false unless [*safe_versions, *vulnerable_versions].any?

  version = version_class.new(version)

  # If version is known safe for this advisory, it's not vulnerable
  return false if safe_versions.any? { |r| r.satisfied_by?(version) }

  # If in the vulnerable range and not known safe, it's vulnerable
  return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }

  # If a vulnerable range present but not met, it's not vulnerable
  return false if vulnerable_versions.any?

  # Finally, if no vulnerable range provided, but a safe range provided,
  # and this versions isn't included (checked earlier), it's vulnerable
  safe_versions.any?
end

#fixed_by?(dependency) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/security_advisory.rb', line 78

def fixed_by?(dependency)
  # Handle case mismatch between the security advisory and parsed name
  return false unless dependency_name.casecmp(dependency.name)&.zero?
  return false unless package_manager == dependency.package_manager
  # TODO: Support no previous version to the same level as dependency graph
  # and security alerts. We currently ignore dependency updates without a
  # previous version because we don't know if the dependency was vulnerable.
  return false unless dependency.previous_version
  return false unless version_class.correct?(dependency.previous_version)

  # Ignore deps that weren't previously vulnerable
  return false unless affects_version?(T.must(dependency.previous_version))

  # Removing a dependency is a way to fix the vulnerability
  return true if dependency.removed?

  # Select deps that are now fixed
  !affects_version?(T.must(dependency.version))
end

#vulnerable?(version) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/security_advisory.rb', line 52

def vulnerable?(version)
  in_safe_range = safe_versions
                  .any? { |r| r.satisfied_by?(version) }

  # If version is known safe for this advisory, it's not vulnerable
  return false if in_safe_range

  in_vulnerable_range = vulnerable_versions
                        .any? { |r| r.satisfied_by?(version) }

  # If in the vulnerable range and not known safe, it's vulnerable
  return true if in_vulnerable_range

  # If a vulnerable range present but not met, it's not vulnerable
  return false if vulnerable_versions.any?

  # Finally, if no vulnerable range provided, but a safe range provided,
  # and this versions isn't included (checked earlier), it's vulnerable
  safe_versions.any?
end