Class: DependencySpy::API

Inherits:
Object
  • Object
show all
Defined in:
lib/dependency_spy.rb

Class Method Summary collapse

Class Method Details

.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false) ⇒ Object 



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/dependency_spy.rb', line 31

def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false)
  if !File.exist?(database_path) && offline
    puts 'No local database found. Cannot obtain database since offline mode is enabled.'
    exit(10)
  elsif !offline
    puts 'Going to update the local vulnerability database.'
    YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
  end

  path             = File.expand_path(path)
  package_managers = find_platform(platform)
  file_list        = if !files.nil?
                       files.split(',')
                     elsif File.file?(path)
                       path = File.dirname(path)
                       [File.basename(path)]
                     else
                       cmd = `find #{path} -type f | grep -vE "#{Bibliothecary.ignored_files_regex}"`
                       cmd.split("\n").sort
                     end
  manifests        = package_managers.map { |pm| pm.analyse(path, file_list) }.flatten.compact
  manifests.map do |manifest|
    package_manager   = manifest[:platform]
    manifest_filename = manifest[:path]
    manifest_kind     = manifest[:kind]

    dependency_vulns = manifest[:dependencies].map do |dependency|
      package_name = dependency[:name] || dependency['name']
      version      = dependency[:requirement] || dependency['version']
      type         = dependency[:type] || dependency['type']

      package_vulns = vulns(manifest[:platform], package_name, database_path)

      vulnerabilities = package_vulns.select do |vuln|
        vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
        unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
        patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false

        if unaffected || patched
          false
        else
          vulnerable
        end
      end

      Dependency.new(package_name, version, type, vulnerabilities.uniq)
    end

    Manifest.new(package_manager, manifest_filename, manifest_kind, dependency_vulns.uniq)
  end
end

.update(vuln_repo_path = YAVDB::Constants::DEFAULT_YAVDB_PATH) ⇒ Object 



83
84
85
 
# File 'lib/dependency_spy.rb', line 83

def self.update(vuln_repo_path = YAVDB::Constants::DEFAULT_YAVDB_PATH)
  YAVDB::API.download_database(true, vuln_repo_path)
end