31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# File 'lib/dependency_spy.rb', line 31
def self.check(options)
verbose = options[:verbose]
path = options[:path] || Dir.pwd
files = options[:files]
platform = options[:platform]
database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
offline = options[:offline] || false
ignore = options[:ignore] || []
if !File.exist?(database_path) && offline
puts 'No local database found. Cannot obtain database since offline mode is enabled.'
exit(10)
elsif !offline
puts 'Going to update the local vulnerability database.' if verbose
YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
end
path = File.expand_path(path)
package_managers = find_platform(platform)
file_list = if !files.nil?
files.split(',').map { |f| "#{path}/#{f}" }
elsif File.file?(path)
path = File.dirname(path)
[File.basename(path)]
else
Bibliothecary.load_file_info_list(path).map(&:full_path)
end
manifests = package_managers.map { |pm| pm.analyse(path, file_list) }.flatten.compact
manifests.map do |manifest|
package_manager = manifest[:platform]
manifest_filename = manifest[:path]
manifest_kind = manifest[:kind]
dependency_vulns = manifest[:dependencies].map do |dependency|
package_name = dependency[:name] || dependency['name']
version = dependency[:requirement] || dependency['version']
type = dependency[:type] || dependency['type']
package_vulns = vulns(manifest[:platform], package_name, database_path)
vulnerabilities = package_vulns.select do |vuln|
vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
ignored = ignore.include?(vuln.id)
if unaffected || patched
false
elsif ignored
puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
false
else
vulnerable
end
end
Dependency.new(package_name, version, type, vulnerabilities.uniq)
end
Manifest.new(package_manager, manifest_filename, manifest_kind, dependency_vulns.uniq)
end
end
|