Class: Dependabot::NpmAndYarn::UpdateChecker::VulnerabilityAuditor
- Inherits:
-
Object
- Object
- Dependabot::NpmAndYarn::UpdateChecker::VulnerabilityAuditor
- Defined in:
- lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb
Instance Method Summary collapse
-
#audit(dependency:, security_advisories:) ⇒ Hash<String, [String, Array<Hash<String, String>>]>
Finds any dependencies in the ‘package-lock.json` or `npm-shrinkwrap.json` that have a subdependency on the given dependency that is locked to a vuln version range.
-
#initialize(dependency_files:, credentials:, allow_removal: false) ⇒ VulnerabilityAuditor
constructor
A new instance of VulnerabilityAuditor.
Constructor Details
#initialize(dependency_files:, credentials:, allow_removal: false) ⇒ VulnerabilityAuditor
Returns a new instance of VulnerabilityAuditor.
18 19 20 21 22 |
# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 18 def initialize(dependency_files:, credentials:, allow_removal: false) @dependency_files = dependency_files @credentials = credentials @allow_removal = allow_removal end |
Instance Method Details
#audit(dependency:, security_advisories:) ⇒ Hash<String, [String, Array<Hash<String, String>>]>
Finds any dependencies in the ‘package-lock.json` or `npm-shrinkwrap.json` that have a subdependency on the given dependency that is locked to a vuln version range.
NOTE: yarn is currently not supported.
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 44 def audit(dependency:, security_advisories:) fix_unavailable = { "dependency_name" => dependency.name, "fix_available" => false, "fix_updates" => [], "top_level_ancestors" => [] } SharedHelpers.in_a_temporary_directory do dependency_files_builder = DependencyFilesBuilder.new( dependency: dependency, dependency_files: dependency_files, credentials: credentials ) dependency_files_builder.write_temporary_dependency_files # `npm-shrinkwrap.js`, if present, takes precedence over `package-lock.js`. # Both files use the same format. See https://bit.ly/3lDIAJV for more. lockfile = (dependency_files_builder.shrinkwraps + dependency_files_builder.package_locks).first return fix_unavailable unless lockfile vuln_versions = security_advisories.map do |a| { dependency_name: a.dependency_name, affected_versions: a.vulnerable_version_strings } end audit_result = SharedHelpers.run_helper_subprocess( command: NativeHelpers.helper_path, function: "npm:vulnerabilityAuditor", args: [Dir.pwd, vuln_versions] ) return fix_unavailable unless viable_audit_result?(audit_result, security_advisories) audit_result end rescue SharedHelpers::HelperSubprocessFailed => e log_helper_subprocess_failure(dependency, e) fix_unavailable end |