Class: Pipeline::RetireJS
- Includes:
- Util
- Defined in:
- lib/pipeline/tasks/retirejs.rb
Instance Attribute Summary
Attributes inherited from BaseTask
#appname, #description, #findings, #labels, #name, #stage, #trigger, #warnings
Instance Method Summary collapse
- #analyze ⇒ Object
-
#initialize(trigger, tracker) ⇒ RetireJS
constructor
A new instance of RetireJS.
- #parse_retire_json(result) ⇒ Object
- #run ⇒ Object
- #supported? ⇒ Boolean
Methods included from Util
#fingerprint, #relative_path, #runsystem, #strip_archive_path
Methods inherited from BaseTask
Constructor Details
#initialize(trigger, tracker) ⇒ RetireJS
Returns a new instance of RetireJS.
12 13 14 15 16 17 18 |
# File 'lib/pipeline/tasks/retirejs.rb', line 12 def initialize(trigger, tracker) super(trigger, tracker) @name = "RetireJS" @description = "Dependency analysis for JavaScript" @stage = :code @labels << "code" << "javascript" end |
Instance Method Details
#analyze ⇒ Object
34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/pipeline/tasks/retirejs.rb', line 34 def analyze begin vulnerabilities = parse_retire_json(JSON.parse(@result)) vulnerabilities.each do |vuln| report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}") end rescue Exception => e Pipeline.warn e. Pipeline.warn e.backtrace end end |
#parse_retire_json(result) ⇒ Object
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/pipeline/tasks/retirejs.rb', line 47 def parse_retire_json result Pipeline.debug "Retire JSON Raw Result: #{result}" vulnerabilities = [] # This is very ugly, but so is the json retire.js spits out # Loop through each component/version combo and pull all results for it JsonPath.on(result, '$..component').uniq.each do |comp| JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version| vuln_hash = {} vuln_hash[:package] = "#{comp}-#{version}" version_results = JsonPath.on(result, "$..results[?(@.component == \'#{comp}\')]").select { |r| r['version'] == version }.uniq # If we see the parent-->component relationship, dig through the dependency tree to try and make a dep map deps = [] obj = version_results[0] while !obj['parent'].nil? deps << obj['parent']['component'] obj = obj['parent'] end if deps.length > 0 vuln_hash[:source] = { :scanner => @name, :file => "#{deps.reverse.join('->')}->#{comp}-#{version}", :line => nil, :code => nil } end vuln_hash[:severity] = 'unknown' # pull detail/severity version_results.each do |version_result| JsonPath.on(version_result, '$..vulnerabilities').uniq.each do |vuln| vuln_hash[:severity] = severity(vuln[0]['severity']) vuln_hash[:detail] = vuln[0]['info'].join('\n') end end vulnerabilities << vuln_hash end end # Loop through the separately reported 'file' findings so we can tag the source (no dep map here) result.select { |r| !r['file'].nil? }.each do |file_result| JsonPath.on(file_result, '$..component').uniq.each do |comp| JsonPath.on(file_result, "$..results[?(@.component == \'#{comp}\')].version").uniq.each do |version| source_path = Pathname.new(file_result['file']).relative_path_from Pathname.new(@trigger.path) vulnerabilities.select { |v| v[:package] == "#{comp}-#{version}" }.first[:source] = { :scanner => @name, :file => source_path.to_s, :line => nil, :code => nil } end end end return vulnerabilities end |
#run ⇒ Object
20 21 22 23 24 25 26 27 28 29 30 31 32 |
# File 'lib/pipeline/tasks/retirejs.rb', line 20 def run rootpath = @trigger.path Pipeline.debug "Retire rootpath: #{rootpath}" Dir.chdir("#{rootpath}") do if @tracker..has_key?(:npm_registry) registry = "--registry #{@tracker.[:npm_registry]}" else registry = nil end @result = `npm install --ignore-scripts #{registry}` # Need this even though it is slow to get full dependency analysis. end @result = `retire -c --outputformat json --path #{rootpath} 2>&1` end |