Class: Dependabot::NpmAndYarn::UpdateChecker::VulnerabilityAuditor

Inherits:
Object
  • Object
show all
Extended by:
T::Sig
Defined in:
lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

Instance Method Summary collapse

Constructor Details

#initialize(dependency_files:, credentials:) ⇒ VulnerabilityAuditor

Returns a new instance of VulnerabilityAuditor.



30
31
32
33
 
# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 30

def initialize(dependency_files:, credentials:)
  @dependency_files = dependency_files
  @credentials = credentials
end

Instance Method Details

#audit(dependency:, security_advisories:) ⇒ Object 



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb', line 64

def audit(dependency:, security_advisories:)
  Dependabot.logger.info("VulnerabilityAuditor: starting audit")

  fix_unavailable = {
    "dependency_name" => dependency.name,
    "fix_available" => false,
    "fix_updates" => [],
    "top_level_ancestors" => []
  }

  SharedHelpers.in_a_temporary_directory do
    dependency_files_builder = DependencyFilesBuilder.new(
      dependency: dependency,
      dependency_files: dependency_files,
      credentials: credentials
    )
    dependency_files_builder.write_temporary_dependency_files

    # `npm-shrinkwrap.js`, if present, takes precedence over `package-lock.js`.
    # Both files use the same format. See https://bit.ly/3lDIAJV for more.
    lockfile = (dependency_files_builder.shrinkwraps + dependency_files_builder.package_locks).first
    unless lockfile
      Dependabot.logger.info("VulnerabilityAuditor: missing lockfile")
      return fix_unavailable
    end

    vuln_versions = security_advisories.map do |a|
      {
        dependency_name: a.dependency_name,
        affected_versions: a.vulnerable_version_strings
      }
    end

    audit_result = T.cast(
      SharedHelpers.run_helper_subprocess(
        command: NativeHelpers.helper_path,
        function: "npm:vulnerabilityAuditor",
        args: [Dir.pwd, vuln_versions]
      ),
      T::Hash[String, T.untyped]
    )

    validation_result = validate_audit_result(audit_result, security_advisories)
    if validation_result != :viable
      Dependabot.logger.info("VulnerabilityAuditor: audit result not viable: #{validation_result}")
      fix_unavailable["explanation"] = explain_fix_unavailable(validation_result, dependency)
      return fix_unavailable
    end

    Dependabot.logger.info("VulnerabilityAuditor: audit result viable")
    audit_result
  end
rescue SharedHelpers::HelperSubprocessFailed => e
  log_helper_subprocess_failure(dependency, e)
  T.must(fix_unavailable)
end