dependabot-npm_and_yarn 0.194.1 → 0.196.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0a04b2bdbf45e9bca7febc2052b4534d01c00a8bf3d7d893afb87ac2b5960b7
-  data.tar.gz: 8d6aa071258257451c443b771bd212fe6ee38ef02b776a1f603574f6049c3bf7
+  metadata.gz: f571bc3ea2061c9be74632412d008fa2cf20ce7301ca135bd44691e0c71568a6
+  data.tar.gz: 8de83c33bc6b953238a25be305e770d1ecd93997f9ef3591ccc99d9e2d890e53
 SHA512:
-  metadata.gz: 5ee4014411ebfb7856f621cef550996122f20df078a94536dbc58ef3876604d8a95cb80646f5689c675e5ac3287e8a67bc81e5a0a86b974a58f539236f7016d9
-  data.tar.gz: fcf294442c74aec5c286f3f2ea5cf0c39f30193623325b621f93fb133df84a9654b032190c07dcc2dae5be5d6d5582f26209709f40443b2a28950192d3e3e0e2
+  metadata.gz: d3f7032e974091c5968bf89dba3782fecc0eb31e888764e64cf5c38512d1cf41952a4059866c2e6fe9c17d6413ec0efa0cc256f7506b20097b53774d70367fe3
+  data.tar.gz: 5bf66a58afc71a31bbbe1926040fc1a7c2f02af40434695b5538987d67be0d0e8ab8dc35d0ce0ddac184b37a61156886f6ce22c0bc7b1933d2e5bd4be54f2ea8

data/helpers/lib/npm/index.js

@@ -1,6 +1,9 @@
 const conflictingDependencyParser = require("./conflicting-dependency-parser");
+const vulnerabilityAuditor = require("./vulnerability-auditor");
 
 module.exports = {
   findConflictingDependencies:
     conflictingDependencyParser.findConflictingDependencies,
+  vulnerabilityAuditor:
+    vulnerabilityAuditor.findVulnerableDependencies,
 };

data/helpers/lib/npm/vulnerability-auditor.js

@@ -0,0 +1,206 @@
+/* Vulnerability auditor for npm
+ *
+ * Inputs:
+ *  - path to directory containing a package.json and a package-lock.json
+ *  - array of security advisories to audit for,
+ *      [
+ *        { dependency_name: string, affected_versions: [string, ...] },
+ *        ...
+ *      ]
+ *
+ * Outputs:
+ *  - object indicating whether a fix is available and how to achieve it,
+ *      {
+ *        dependency_name: string,
+ *        current_version: string,
+ *        target_version: string,
+ *        fix_available: boolean | object,
+ *        fix_updates: [
+ *          {
+ *            dependency_name: string,
+ *            current_version: string,
+ *            target_version: string
+ *          },
+ *          ...
+ *        ]
+ *      }
+ */
+
+const Arborist = require('@npmcli/arborist')
+const nock = require('nock')
+const { promisify } = require('util');
+const exec = promisify(require('child_process').exec)
+
+async function findVulnerableDependencies(directory, advisories) {
+  const npmConfig = await loadNpmConfig()
+  const caCerts = loadCACerts(npmConfig)
+
+  const arb = new Arborist({
+    path: directory,
+    auditRegistry: 'http://localhost:9999',
+    ca: caCerts,
+    force: true,
+    dryRun: true,
+  })
+
+  const scope = nock('http://localhost:9999')
+    .persist()
+    .post('/-/npm/v1/security/advisories/bulk')
+    .reply(200, convertAdvisoriesToRegistryBulkFormat(advisories))
+
+  if (!nock.isActive()) {
+    nock.activate()
+  }
+
+  try {
+    const name = advisories[0].dependency_name
+    const auditReport = await arb.audit()
+    const vuln = auditReport.get(name)
+    const version = [...vuln.nodes][0].version
+    const fixAvailable = vuln.fixAvailable
+    const response = {
+      dependency_name: name,
+      current_version: version,
+      fix_available: Boolean(fixAvailable),
+      fix_updates: [],
+    }
+
+    if (!Boolean(fixAvailable)) {
+      return response
+    }
+
+    const chains = buildDependencyChains(auditReport, name)
+
+    // In order to consider the vuln dependency in question fixable,
+    // all dependency chains originating from it must be fixable.
+    if (chains.some((chain) => !Boolean(chain.fixAvailable))) {
+      response.fix_available = false
+      return response
+    }
+
+    for (const chain of chains) {
+      const topMost = chain.items[0]
+      if (topMost.name === name) {
+        continue
+      }
+      response.fix_updates.push({
+        dependency_name: topMost.name,
+        current_version: topMost.version,
+      })
+    }
+
+    const fixTree = await arb.audit({
+      fix: true,
+    })
+
+    response.target_version = fixTree.children.get(name)?.version
+
+    for (const update of response.fix_updates) {
+      update.target_version =
+        fixTree.children.get(update.dependency_name)?.version
+    }
+
+    return response
+  } finally {
+    nock.cleanAll()
+    nock.restore()
+  }
+}
+
+function convertAdvisoriesToRegistryBulkFormat(advisories) {
+  // npm audit differentiates advisories by `id`. In order to prevent
+  // advisories from being clobbered, we maintain a counter so that each
+  // advisory gets a unique `id`.
+  let nextAdvisoryId = 1
+
+  return advisories.reduce((formattedAdvisories, advisory) => {
+    if (!formattedAdvisories[advisory.dependency_name]) {
+      formattedAdvisories[advisory.dependency_name] = []
+    }
+    let formattedVersions =
+      advisory.affected_versions.reduce((memo, version) => {
+        memo.push({
+          id: nextAdvisoryId++,
+          vulnerable_versions: version
+        })
+        return memo
+      }, [])
+    formattedAdvisories[advisory.dependency_name].push(...formattedVersions)
+    return formattedAdvisories
+  }, {})
+}
+
+/* Traverses all effects originating from the named dependency in the
+ * audit report and builds an array of all dependency chains,
+ *   [
+ *    {
+ *      fixAvailable: true | false | object,
+ *      items: [
+ *        { name: 'foo', version: '1.0.0' },
+ *        ...
+ *      ]
+ *    },
+ *    ...
+ *   ]
+ *
+ * The first item in the chain is always the top-most dependency affected by
+ * the vulnerable dependency in question. The `fixAvailable` field
+ * applies to the first item in the chain (if that item is fixable, then
+ * every item after it must be fixable, too).
+ */
+function buildDependencyChains(auditReport, name, chain = { items: [] }) {
+  const vuln = auditReport.get(name)
+  const version = [...vuln.nodes][0].version
+  const item = { name, version }
+
+  if (!vuln.effects.size) {
+    // If the current vuln has no effects, we've reached the end of this chain.
+    return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
+  }
+
+  return [...vuln.effects].reduce((chains, effect) => {
+    return chains.concat(
+      buildDependencyChains(
+        auditReport, effect.name, { items: [item, ...chain.items] }))
+  }, [])
+}
+
+async function loadNpmConfig() {
+  const configOutput = await exec('npm config ls --json')
+  return JSON.parse(configOutput.stdout)
+}
+
+// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
+const fs = require('fs')
+const maybeReadFile = file => {
+  try {
+    return fs.readFileSync(file, 'utf8')
+  } catch (er) {
+    if (er.code !== 'ENOENT') {
+      throw er
+    }
+    return null
+  }
+}
+
+function loadCACerts(npmConfig) {
+    if (npmConfig.ca) {
+      return npmConfig.ca
+    }
+
+    if (!npmConfig.cafile) {
+      return
+    }
+
+    const raw = maybeReadFile(npmConfig.cafile)
+    if (!raw) {
+      return
+    }
+
+    const delim = '-----END CERTIFICATE-----'
+    return raw.replace(/\r\n/g, '\n').split(delim)
+      .filter(section => section.trim())
+      .map(section => section.trimStart() + delim)
+}
+
+module.exports = { findVulnerableDependencies }