Class: Dependabot::NpmAndYarn::UpdateChecker::VulnerabilityAuditor

Inherits:

Object

Object
Dependabot::NpmAndYarn::UpdateChecker::VulnerabilityAuditor

show all

Defined in:: lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

Instance Method Summary collapse

#audit(dependency:, security_advisories:) ⇒ Hash<String, [String, Array<Hash<String, String>>]>

Finds any dependencies in the ‘package-lock.json` or `npm-shrinkwrap.json` that have a subdependency on the given dependency that is locked to a vuln version range.
#initialize(dependency_files:, credentials:, allow_removal: false) ⇒ VulnerabilityAuditor constructor

A new instance of VulnerabilityAuditor.

Constructor Details

#initialize(dependency_files:, credentials:, allow_removal: false) ⇒ `VulnerabilityAuditor`

Returns a new instance of VulnerabilityAuditor.

# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 18

def initialize(dependency_files:, credentials:, allow_removal: false)
  @dependency_files = dependency_files
  @credentials = credentials
  @allow_removal = allow_removal
end

Instance Method Details

#audit(dependency:, security_advisories:) ⇒ `Hash<String, [String, Array<Hash<String, String>>]>`

Finds any dependencies in the ‘package-lock.json` or `npm-shrinkwrap.json` that have a subdependency on the given dependency that is locked to a vuln version range.

NOTE: yarn is currently not supported.

Parameters:

dependency (Dependabot::Dependency) —

the dependency to check
security_advisories (Array<Dependabot::SecurityAdvisory>) —

advisories for the dependency

Returns:

(Hash<String, [String, Array<Hash<String, String>>]>) —
the audit results
- :dependency_name [String] the name of the dependency
- :fix_available [Boolean] whether a fix is available
- :current_version [String] the version of the dependency
- :target_version [String] the version of the dependency after the fix
- :fix_updates [Array<Hash<String, String>>] a list of dependencies to update in order to fix
  - :dependency_name [String] the name of the blocking dependency
  - :current_version [String] the current version of the blocking dependency
  - :target_version [String] the target version of the blocking dependency
  - :top_level_ancestors [Array<String>] the names of top-level dependencies with a transitive dependency on the blocking dependency
- :top_level_ancestors [Array<String>] the names of all top-level dependencies with a transitive dependency on the dependency

# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 44

def audit(dependency:, security_advisories:)
  fix_unavailable = {
    "dependency_name" => dependency.name,
    "fix_available" => false,
    "fix_updates" => [],
    "top_level_ancestors" => []
  }

  SharedHelpers.in_a_temporary_directory do
    dependency_files_builder = DependencyFilesBuilder.new(
      dependency: dependency,
      dependency_files: dependency_files,
      credentials: credentials
    )
    dependency_files_builder.write_temporary_dependency_files

    # `npm-shrinkwrap.js`, if present, takes precedence over `package-lock.js`.
    # Both files use the same format. See https://bit.ly/3lDIAJV for more.
    lockfile = (dependency_files_builder.shrinkwraps + dependency_files_builder.package_locks).first
    return fix_unavailable unless lockfile

    vuln_versions = security_advisories.map do |a|
      {
        dependency_name: a.dependency_name,
        affected_versions: a.vulnerable_version_strings
      }
    end

    audit_result = SharedHelpers.run_helper_subprocess(
      command: NativeHelpers.helper_path,
      function: "npm:vulnerabilityAuditor",
      args: [Dir.pwd, vuln_versions]
    )
    return fix_unavailable unless viable_audit_result?(audit_result, security_advisories)

    audit_result
  end
rescue SharedHelpers::HelperSubprocessFailed => e
  log_helper_subprocess_failure(dependency, e)
  fix_unavailable
end