Class: DependencySpy::API

Inherits:
Object
  • Object
show all
Defined in:
lib/dependency_spy.rb

Class Method Summary collapse

Class Method Details

.check(options) ⇒ Object 



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'lib/dependency_spy.rb', line 31

def self.check(options)
  verbose = options[:verbose]
  path = options[:path] || Dir.pwd
  files = options[:files]
  platform = options[:platform]
  database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
  offline = options[:offline] || false
  ignore = options[:ignore] || []

  if !File.exist?(database_path) && offline
    puts 'No local database found. Cannot obtain database since offline mode is enabled.'
    exit(10)
  elsif !offline
    puts 'Going to update the local vulnerability database.' if verbose
    YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
  end

  path             = File.expand_path(path)
  package_managers = find_platform(platform)
  file_list        = if !files.nil?
                       files.split(',').map { |f| "#{path}/#{f}" }
                     elsif File.file?(path)
                       path = File.dirname(path)
                       [File.basename(path)]
                     else
                       Bibliothecary.load_file_info_list(path).map(&:full_path)
                     end
  manifests        = package_managers.map { |pm| pm.analyse(path, file_list) }.flatten.compact
  manifests.map do |manifest|
    package_manager   = manifest[:platform]
    manifest_filename = manifest[:path]
    manifest_kind     = manifest[:kind]

    dependency_vulns = manifest[:dependencies].map do |dependency|
      package_name = dependency[:name] || dependency['name']
      version      = dependency[:requirement] || dependency['version']
      type         = dependency[:type] || dependency['type']

      package_vulns = vulns(manifest[:platform], package_name, database_path)

      vulnerabilities = package_vulns.select do |vuln|
        vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
        unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
        patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
        ignored    = ignore.include?(vuln.id)

        if unaffected || patched
          false
        elsif ignored
          puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
          false
        else
          vulnerable
        end
      end

      Dependency.new(package_name, version, type, vulnerabilities.uniq)
    end

    Manifest.new(package_manager, manifest_filename, manifest_kind, dependency_vulns.uniq)
  end
end

.update(vuln_repo_path = YAVDB::Constants::DEFAULT_YAVDB_PATH) ⇒ Object 



94
95
96
 
# File 'lib/dependency_spy.rb', line 94

def self.update(vuln_repo_path = YAVDB::Constants::DEFAULT_YAVDB_PATH)
  YAVDB::API.download_database(true, vuln_repo_path)
end