dependabot-npm_and_yarn 0.195.0 → 0.196.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 331f32c7de63c0e1d6fba3c5fa07440bd1a2ecbd7b4bf6eb9fc5bc7f65df961b
-  data.tar.gz: b5ca5c033cab29f1bb7ad956777bf209825a9cba3632f2cf69ae2635f35408d1
+  metadata.gz: 17d091442f5535aee32eff806235c2c2fd5a003c1a0462020b66ed72877193c5
+  data.tar.gz: 0bc5a3ea0d891b2b146b576fa173e335b61e6495eb7d5246fffc9c7742dc2e55
 SHA512:
-  metadata.gz: 35aea567a10c997e1c6b231da5d8f3042dd5ce41182a750de50ed9f3d9e5852f578bcb2d9e5c75d6bef4f9280d2d64d85852315634ab3c15d4e0c30fc7fa81c7
-  data.tar.gz: c1ba801b5b44b4a813baad59f6e5b1de4e4df1112178bda5025efac571fadbf7fbb18149d0f58dcfe3e69ab7b9215f16dc6aa5551e27c8dd83bd3b41c15aefdb
+  metadata.gz: 488838fc133bb86735d241857ce6ce2825a2b00d555568999c435426e64b94a01f657f685f53b4f354daeb2437d257dcd319b4e935303bc8eb2237379ef25bd7
+  data.tar.gz: 239df30dd2eb4694e28f7382c1bfa6c75dc64b94d3d086c7831bbe893d1d06c5cb86244ad93635a192f0e96f6d3aa91aba6cefb535464f77492bad8796454c4b

data/helpers/lib/npm/index.js

@@ -1,6 +1,9 @@
 const conflictingDependencyParser = require("./conflicting-dependency-parser");
+const vulnerabilityAuditor = require("./vulnerability-auditor");
 
 module.exports = {
   findConflictingDependencies:
     conflictingDependencyParser.findConflictingDependencies,
+  vulnerabilityAuditor:
+    vulnerabilityAuditor.findVulnerableDependencies,
 };

data/helpers/lib/npm/vulnerability-auditor.js

@@ -0,0 +1,243 @@
+/* Vulnerability auditor for npm
+ *
+ * Inputs:
+ *  - path to directory containing a package.json and a package-lock.json
+ *  - array of security advisories to audit for,
+ *      [
+ *        { dependency_name: string, affected_versions: [string, ...] },
+ *        ...
+ *      ]
+ *
+ * Outputs:
+ *  - object indicating whether a fix is available and how to achieve it,
+ *      {
+ *        dependency_name: string,
+ *        current_version: string,
+ *        target_version: string,
+ *        fix_available: boolean | object,
+ *        fix_updates: [
+ *          {
+ *            dependency_name: string,
+ *            current_version: string,
+ *            target_version: string
+ *          },
+ *          ...
+ *        ]
+ *      }
+ */
+
+const Arborist = require('@npmcli/arborist')
+const nock = require('nock')
+const { promisify } = require('util');
+const exec = promisify(require('child_process').exec)
+
+async function findVulnerableDependencies(directory, advisories) {
+  const npmConfig = await loadNpmConfig()
+  const caCerts = loadCACerts(npmConfig)
+  const registryOpts = extractRegistryOptions(npmConfig)
+  const registryCreds = loadNpmConfigCredentials(directory)
+
+  const arb = new Arborist({
+    path: directory,
+    auditRegistry: 'http://localhost:9999',
+    ca: caCerts,
+    force: true,
+    dryRun: true,
+    ...registryOpts,
+    ...registryCreds,
+  })
+
+  const scope = nock('http://localhost:9999')
+    .persist()
+    .post('/-/npm/v1/security/advisories/bulk')
+    .reply(200, convertAdvisoriesToRegistryBulkFormat(advisories))
+
+  if (!nock.isActive()) {
+    nock.activate()
+  }
+
+  try {
+    const name = advisories[0].dependency_name
+    const auditReport = await arb.audit()
+    const vuln = auditReport.get(name)
+    const version = [...vuln.nodes][0].version
+    const fixAvailable = vuln.fixAvailable
+    const response = {
+      dependency_name: name,
+      current_version: version,
+      fix_available: Boolean(fixAvailable),
+      fix_updates: [],
+    }
+
+    if (!Boolean(fixAvailable)) {
+      return response
+    }
+
+    const chains = buildDependencyChains(auditReport, name)
+
+    // In order to consider the vuln dependency in question fixable,
+    // all dependency chains originating from it must be fixable.
+    if (chains.some((chain) => !Boolean(chain.fixAvailable))) {
+      response.fix_available = false
+      return response
+    }
+
+    for (const chain of chains) {
+      const topMost = chain.items[0]
+      if (topMost.name === name) {
+        continue
+      }
+      response.fix_updates.push({
+        dependency_name: topMost.name,
+        current_version: topMost.version,
+      })
+    }
+
+    const fixTree = await arb.audit({
+      fix: true,
+    })
+
+    response.target_version = fixTree.children.get(name)?.version
+
+    for (const update of response.fix_updates) {
+      update.target_version =
+        fixTree.children.get(update.dependency_name)?.version
+    }
+
+    return response
+  } finally {
+    nock.cleanAll()
+    nock.restore()
+  }
+}
+
+function convertAdvisoriesToRegistryBulkFormat(advisories) {
+  // npm audit differentiates advisories by `id`. In order to prevent
+  // advisories from being clobbered, we maintain a counter so that each
+  // advisory gets a unique `id`.
+  let nextAdvisoryId = 1
+
+  return advisories.reduce((formattedAdvisories, advisory) => {
+    if (!formattedAdvisories[advisory.dependency_name]) {
+      formattedAdvisories[advisory.dependency_name] = []
+    }
+    let formattedVersions =
+      advisory.affected_versions.reduce((memo, version) => {
+        memo.push({
+          id: nextAdvisoryId++,
+          vulnerable_versions: version
+        })
+        return memo
+      }, [])
+    formattedAdvisories[advisory.dependency_name].push(...formattedVersions)
+    return formattedAdvisories
+  }, {})
+}
+
+/* Traverses all effects originating from the named dependency in the
+ * audit report and builds an array of all dependency chains,
+ *   [
+ *    {
+ *      fixAvailable: true | false | object,
+ *      items: [
+ *        { name: 'foo', version: '1.0.0' },
+ *        ...
+ *      ]
+ *    },
+ *    ...
+ *   ]
+ *
+ * The first item in the chain is always the top-most dependency affected by
+ * the vulnerable dependency in question. The `fixAvailable` field
+ * applies to the first item in the chain (if that item is fixable, then
+ * every item after it must be fixable, too).
+ */
+function buildDependencyChains(auditReport, name, chain = { items: [] }) {
+  const vuln = auditReport.get(name)
+  const version = [...vuln.nodes][0].version
+  const item = { name, version }
+
+  if (!vuln.effects.size) {
+    // If the current vuln has no effects, we've reached the end of this chain.
+    return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
+  }
+
+  return [...vuln.effects].reduce((chains, effect) => {
+    return chains.concat(
+      buildDependencyChains(
+        auditReport, effect.name, { items: [item, ...chain.items] }))
+  }, [])
+}
+
+async function loadNpmConfig() {
+  const configOutput = await exec('npm config ls --json')
+  return JSON.parse(configOutput.stdout)
+}
+
+function extractRegistryOptions(npmConfig) {
+  const opts = []
+  for (const [key, value] of Object.entries(npmConfig)) {
+    if (key == "registry" || key.endsWith(":registry")) {
+      opts.push([key, value])
+    }
+  }
+  return Object.fromEntries(opts)
+}
+
+// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
+// Dependabot will have written them to the project's .npmrc file.
+const ini = require('ini')
+const path = require('path')
+
+const credKeys = ['token', '_authToken', '_auth']
+
+function loadNpmConfigCredentials(projectDir) {
+  const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
+  if (!projectNpmrc) {
+    return {}
+  }
+
+  const credentials = []
+  const config = ini.parse(projectNpmrc)
+  for (const [key, value] of Object.entries(config)) {
+    if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
+      credentials.push([key, value])
+    }
+  }
+  return Object.fromEntries(credentials)
+}
+
+// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
+const fs = require('fs')
+const maybeReadFile = file => {
+  try {
+    return fs.readFileSync(file, 'utf8')
+  } catch (er) {
+    if (er.code !== 'ENOENT') {
+      throw er
+    }
+    return null
+  }
+}
+
+function loadCACerts(npmConfig) {
+    if (npmConfig.ca) {
+      return npmConfig.ca
+    }
+
+    if (!npmConfig.cafile) {
+      return
+    }
+
+    const raw = maybeReadFile(npmConfig.cafile)
+    if (!raw) {
+      return
+    }
+
+    const delim = '-----END CERTIFICATE-----'
+    return raw.replace(/\r\n/g, '\n').split(delim)
+      .filter(section => section.trim())
+      .map(section => section.trimStart() + delim)
+}
+
+module.exports = { findVulnerableDependencies }