package-audit 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 40db656091a8559c095240ab373f96c905cc6b78898717c1932dff93428d8b6e
-  data.tar.gz: a3220c0f098a071c3cd429914b40bda20826e3157035e778513410c01bd1a566
+  metadata.gz: 55535a9ef08ce99d8cdacbfe15e0ec11e770f4803e4ef212d9ff4565111c89a6
+  data.tar.gz: 3f1efc9489c0ac9139f94bb7ed66d8ccee255e9c61f79440c899c0dcc4cd5885
 SHA512:
-  metadata.gz: 348811b4789ffb9dd446a15c6a73819adcf196737a3949689a18457f2b368daa7c2830f10063208e7073833c7b512feb1ddb36bf60e8376f2d84a2d40bd7d9e3
-  data.tar.gz: b3a779536d324ea28160defac771a242020168f4668ac8e7540d89e6c5db7f833c0c9caa435b8bb50b2cb807f8e211e2257d33e64aa80c61affd271e1a3fd24e
+  metadata.gz: 9c7ee67ccfadae05b1ec3a7e53d77ed8d977ae43bd54bbc0b95dee86e33ddceb87592089abc7a1410dba71c00802cc6172c3849d23e789878a9e8e14a1de2d96
+  data.tar.gz: 4ff43ca9c9e7bc410b545cde33b77798bfe71d40ebf92874235a695fb1862b2fa826849ce62f67cab831dfa22b987506248754e0a03b3827612e17b12df3f9be

data/lib/package/audit/cli.rb

@@ -1,9 +1,11 @@
-require_relative './const'
+require_relative './const/time'
 require_relative './version'
 require_relative './util/summary_printer'
 require_relative './ruby/bundler_specs'
-require_relative './dependency_printer'
+require_relative './printer'
 require_relative './ruby/gem_collection'
+require_relative './npm/node_collection'
+require_relative './command_service'
 
 require 'json'
 require 'thor'
@@ -15,81 +17,44 @@ module Package
 
       map '--version' => :version
 
-      desc 'report', 'Show a report of potentially deprecated, outdated or vulnerable gems'
+      desc 'report', 'Show a report of potentially deprecated, outdated or vulnerable packages'
       method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
       method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
 
       def report
         within_rescue_block do
-          gems = Ruby::GemCollection.all
-          DependencyPrinter.new(gems, options).print
-
-          if gems.any?
-            Util::SummaryPrinter.total(gems.length) unless options[:csv]
-            Util::SummaryPrinter.report unless options[:csv]
-            exit 1
-          else
-            exit_with_success 'There are no deprecated, outdated or vulnerable gems!'
-          end
+          exit CommandService.new(Dir.pwd, options).all
         end
       end
 
-      desc 'deprecated', "Show gems with no updates by author for at least #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+      desc 'deprecated',
+           "Show packages with no updates by author for at least #{Const::Time::YEARS_ELAPSED_TO_BE_OUTDATED} years"
       method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
       method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
 
       def deprecated
         within_rescue_block do
-          gems = Ruby::GemCollection.deprecated
-          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
-
-          if gems.any?
-            Util::SummaryPrinter.total(gems.length) unless options[:csv]
-            Util::SummaryPrinter.deprecated unless options[:csv]
-            exit 1
-          else
-            exit_with_success 'No potential deprecated have been found!'
-          end
+          exit CommandService.new(Dir.pwd, options).deprecated
         end
       end
 
-      desc 'outdated', 'Show gems, and optionally their dependencies, that are out of date'
-      method_option :'include-implicit', type: :boolean, default: false,
-                                         desc: 'Only both gems specified in Gemfile and their dependencies'
+      desc 'outdated', 'Show packages that are out of date'
       method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
       method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
 
-      def outdated # rubocop:disable Metrics/AbcSize
+      def outdated
         within_rescue_block do
-          gems = Ruby::GemCollection.outdated(include_implicit: options[:'include-implicit'])
-          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
-
-          if gems.any?
-            Util::SummaryPrinter.total(gems.length) unless options[:csv]
-            Util::SummaryPrinter.outdated unless options[:'include-implicit'] || options[:csv]
-            exit 1
-          else
-            exit_with_success 'All gems are at latest versions!'
-          end
+          exit CommandService.new(Dir.pwd, options).outdated
         end
       end
 
-      desc 'vulnerable', 'Show gems and their dependencies that have security vulnerabilities'
+      desc 'vulnerable', 'Show packages and their dependencies that have security vulnerabilities'
       method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
       method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
 
       def vulnerable
         within_rescue_block do
-          gems = Ruby::GemCollection.vulnerable
-          DependencyPrinter.new(gems, options).print(%i[name version latest_version groups vulnerabilities])
-
-          if gems.any?
-            Util::SummaryPrinter.total(gems.length) unless options[:csv]
-            Util::SummaryPrinter.vulnerable unless options[:csv]
-            exit 1
-          else
-            exit_with_success 'No vulnerabilities found!'
-          end
+          exit CommandService.new(Dir.pwd, options).vulnerable
         end
       end
 
@@ -112,9 +77,6 @@ module Package
       private
 
       def within_rescue_block
-        raise "Gemfile was not found in #{Dir.pwd}/Gemfile" unless File.exist?("#{Dir.pwd}/Gemfile")
-        raise "Gemfile.lock was not found in #{Dir.pwd}/Gemfile.lock" unless File.exist?("#{Dir.pwd}/Gemfile.lock")
-
         yield
       rescue StandardError => e
         exit_with_error "#{e.class}: #{e.message}"
@@ -124,11 +86,6 @@ module Package
         puts Util::BashColor.red msg
         exit 1
       end
-
-      def exit_with_success(msg)
-        puts Util::BashColor.green msg
-        exit 0
-      end
     end
   end
 end

data/lib/package/audit/command_service.rb

@@ -0,0 +1,187 @@
+require_relative './const/cmd'
+require_relative './const/file'
+
+module Package
+  module Audit
+    class CommandService # rubocop:disable Metrics/ClassLength
+      RUBY_GEM = 'ruby gem'
+      NODE_MODULE = 'node module'
+
+      def initialize(dir, options)
+        @dir = dir
+        @options = options
+      end
+
+      def all # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+        pkgs = []
+
+        if ruby?
+          gems = Ruby::GemCollection.all
+          pkgs += gems
+          Printer.new(gems, @options).print(Const::Fields::REPORT)
+
+          unless @options[:csv]
+            if gems.any?
+              Util::SummaryPrinter.statistics(RUBY_GEM, gems)
+              Util::SummaryPrinter.vulnerable(RUBY_GEM, Const::Cmd::BUNDLE_AUDIT)
+            else
+              print_success_message "There are no deprecated, outdated or vulnerable #{RUBY_GEM}s!"
+            end
+          end
+        end
+
+        if node?
+          npms = Npm::NodeCollection.new(@dir).all
+          pkgs += npms
+          Printer.new(npms, @options).print(Const::Fields::REPORT)
+
+          unless @options[:csv]
+            if npms.any?
+              Util::SummaryPrinter.statistics(NODE_MODULE, npms)
+              Util::SummaryPrinter.vulnerable(NODE_MODULE, Const::Cmd::YARN_AUDIT)
+            else
+              print_success_message "There are no deprecated, outdated or vulnerable #{NODE_MODULE}s!"
+            end
+          end
+        end
+
+        pkgs.any?
+      end
+
+      def vulnerable # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+        pkgs = []
+
+        if ruby?
+          gems = Ruby::GemCollection.vulnerable
+          pkgs += gems
+          Printer.new(gems, @options).print(Const::Fields::VULNERABLE)
+
+          unless @options[:csv]
+            if gems.any?
+              Util::SummaryPrinter.total(RUBY_GEM, gems)
+              Util::SummaryPrinter.vulnerable(RUBY_GEM, Const::Cmd::BUNDLE_AUDIT)
+            else
+              print_success_message "There are no #{RUBY_GEM} vulnerabilities!"
+            end
+          end
+        end
+
+        if node?
+          npms = Npm::NodeCollection.new(@dir).vulnerable
+          pkgs += npms
+          Printer.new(npms, @options).print(Const::Fields::VULNERABLE)
+
+          unless @options[:csv]
+            if npms.any?
+              Util::SummaryPrinter.total(NODE_MODULE, npms)
+              Util::SummaryPrinter.vulnerable(NODE_MODULE, Const::Cmd::YARN_AUDIT)
+            else
+              print_success_message "There are no #{NODE_MODULE} vulnerabilities!"
+            end
+          end
+        end
+
+        pkgs.any?
+      end
+
+      def outdated # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+        pkgs = []
+
+        if ruby?
+          gems = Ruby::GemCollection.outdated
+          pkgs += gems
+          Printer.new(gems, @options).print(Const::Fields::OUTDATED)
+
+          unless @options[:csv]
+            if gems.any?
+              Util::SummaryPrinter.total(RUBY_GEM, gems)
+            else
+              print_success_message "There are no outdated #{RUBY_GEM}s!"
+            end
+          end
+        end
+
+        if node?
+          npms = Npm::NodeCollection.new(@dir).outdated
+          pkgs += npms
+          Printer.new(npms, @options).print(Const::Fields::OUTDATED)
+
+          unless @options[:csv]
+            if npms.any?
+              Util::SummaryPrinter.total(NODE_MODULE, npms)
+            else
+              print_success_message "There are no outdated #{NODE_MODULE}s!"
+            end
+          end
+        end
+
+        pkgs.any?
+      end
+
+      def deprecated # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+        pkgs = []
+
+        if ruby?
+          gems = Ruby::GemCollection.deprecated
+          pkgs += gems
+          Printer.new(gems, @options).print(Const::Fields::OUTDATED)
+
+          unless @options[:csv]
+            if gems.any?
+              Util::SummaryPrinter.total(RUBY_GEM, gems)
+              Util::SummaryPrinter.deprecated
+            else
+              print_success_message "There are no potentially deprecated #{RUBY_GEM}s!"
+            end
+          end
+        end
+
+        if node?
+          npms = Npm::NodeCollection.new(@dir).deprecated
+          pkgs += npms
+          Printer.new(npms, @options).print(Const::Fields::OUTDATED)
+
+          unless @options[:csv]
+            if npms.any?
+              Util::SummaryPrinter.total(NODE_MODULE, npms)
+              Util::SummaryPrinter.deprecated
+            else
+              print_success_message "There are no potentially deprecated #{NODE_MODULE}s!"
+            end
+          end
+        end
+
+        pkgs.any?
+      end
+
+      private
+
+      def ruby?
+        gemfile_present = File.exist?("#{@dir}/#{Const::File::GEMFILE}")
+        gemfile_lock_present = File.exist?("#{@dir}/#{Const::File::GEMFILE_LOCK}")
+
+        if gemfile_present && gemfile_lock_present
+          true
+        elsif gemfile_present
+          raise "#{Const::File::GEMFILE_LOCK} was not found in #{@dir}/"
+        end
+      end
+
+      def node?
+        package_json_present = File.exist?("#{@dir}/#{Const::File::PACKAGE_JSON}")
+        package_lock_json_present = File.exist?("#{@dir}/#{Const::File::PACKAGE_LOCK_JSON}")
+        yarn_lock_present = File.exist?("#{@dir}/#{Const::File::YARN_LOCK}")
+
+        if package_json_present && (package_lock_json_present || yarn_lock_present)
+          true
+        elsif package_json_present
+          raise "#{Const::File::PACKAGE_LOCK_JSON} or #{Const::File::YARN_LOCK} was not found in #{@dir}/"
+        end
+      end
+
+      def print_success_message(msg)
+        puts Util::BashColor.green msg
+      end
+    end
+  end
+end

data/lib/package/audit/const/cmd.rb

@@ -0,0 +1,16 @@
+module Package
+  module Audit
+    module Const
+      module Cmd
+        BUNDLE_AUDIT = 'bundle exec bundle-audit check --update'
+        BUNDLE_AUDIT_JSON = 'bundle exec bundle-audit check --update --quiet --format json'
+
+        NPM_AUDIT = 'npm audit'
+        NPM_AUDIT_JSON = 'npm audit --json'
+
+        YARN_AUDIT = 'yarn audit'
+        YARN_AUDIT_JSON = 'yarn audit --json'
+      end
+    end
+  end
+end

data/lib/package/audit/const/fields.rb

@@ -0,0 +1,36 @@
+module Package
+  module Audit
+    module Const
+      module Fields
+        ALL = %i[
+          name
+          version
+          version_date
+          latest_version
+          latest_version_date
+          groups
+          vulnerabilities
+          risk_type
+          risk_explanation
+        ]
+
+        REPORT = %i[name version latest_version latest_version_date groups vulnerabilities risk_type risk_explanation]
+        VULNERABLE = %i[name version latest_version groups vulnerabilities]
+        OUTDATED = %i[name version latest_version latest_version_date groups]
+
+        # the names of these fields must match the instance variables in the Dependency class
+        HEADERS = {
+          name: 'Package',
+          version: 'Version',
+          version_date: 'Date',
+          latest_version: 'Latest',
+          latest_version_date: 'Latest Date',
+          groups: 'Groups',
+          vulnerabilities: 'Vulnerabilities',
+          risk_type: 'Risk',
+          risk_explanation: 'Risk Explanation'
+        }
+      end
+    end
+  end
+end

data/lib/package/audit/const/file.rb

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Const
+      module File
+        GEMFILE = 'Gemfile'
+        GEMFILE_LOCK = 'Gemfile.lock'
+        PACKAGE_JSON = 'package.json'
+        PACKAGE_LOCK_JSON = 'package-lock.json'
+        YARN_LOCK = 'yarn.lock'
+      end
+    end
+  end
+end

data/lib/package/audit/const/time.rb

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    module Const
+      module Time
+        SECONDS_PER_YEAR = 31_556_952 # length of a gregorian year (365.2425 days)
+        YEARS_ELAPSED_TO_BE_OUTDATED = 2
+        SECONDS_ELAPSED_TO_BE_OUTDATED = SECONDS_PER_YEAR * YEARS_ELAPSED_TO_BE_OUTDATED
+      end
+    end
+  end
+end

data/lib/package/audit/duplicate_package_merger.rb

@@ -0,0 +1,26 @@
+module Package
+  module Audit
+    class DuplicatePackageMerger
+      def initialize(pkgs)
+        @pkgs = pkgs.sort_by(&:full_name)
+      end
+
+      def run # rubocop:disable Metrics/AbcSize
+        pkgs = @pkgs.take(1)
+
+        @pkgs[1..]&.each do |curr|
+          prev = pkgs[-1]
+          if curr.full_name == prev.full_name
+            prev.update(groups: prev.groups | curr.groups,
+                        vulnerabilities: prev.vulnerabilities + curr.vulnerabilities,
+                        risks: prev.risks + curr.risks)
+          else
+            pkgs << curr
+          end
+        end
+
+        pkgs
+      end
+    end
+  end
+end

data/lib/package/audit/enum/environment.rb

@@ -1,5 +1,3 @@
-require_relative '../const'
-
 module Package
   module Audit
     module Enum

data/lib/package/audit/enum/risk_explanation.rb

@@ -1,10 +1,10 @@
-require_relative '../const'
+require_relative '../const/time'
 
 module Package
   module Audit
     module Enum
       module RiskExplanation
-        POTENTIAL_DEPRECATION = "no updates by author in over #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+        POTENTIAL_DEPRECATION = "no updates by author in over #{Const::Time::YEARS_ELAPSED_TO_BE_OUTDATED} years"
         OUTDATED_BY_MAJOR_VERSION = 'behind by a major version'
         OUTDATED = 'not at latest version'
         VULNERABILITY = 'security vulnerability'

data/lib/package/audit/enum/vulnerability_type.rb

@@ -5,6 +5,7 @@ module Package
         NONE = 'none'
         LOW = 'low'
         MEDIUM = 'medium'
+        MODERATE = 'moderate'
         HIGH = 'high'
         CRITICAL = 'critical'
         UNKNOWN = 'unknown'

data/lib/package/audit/formatter/version.rb

@@ -12,16 +12,17 @@ module Package
         end
 
         def format # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          version_parts = @curr.split('.').map(&:to_i)
+          latest_version_parts = @target.split('.').map(&:to_i)
           curr_tokens = @curr.split('.')
-          target_tokens = @target.split('.')
 
-          if curr_tokens[0] && curr_tokens[0] < target_tokens[0]
+          if (version_parts.first || 0) < (latest_version_parts.first || 0)
             Util::BashColor.orange(@curr)
-          elsif curr_tokens[1] && curr_tokens[1] < target_tokens[1]
+          elsif version_parts[1] && latest_version_parts[1] && version_parts[1] < latest_version_parts[1]
             "#{curr_tokens[0]}.#{Util::BashColor.yellow(curr_tokens[1..]&.join('.'))}"
-          elsif curr_tokens[2] && curr_tokens[2] < target_tokens[2]
+          elsif version_parts[2] && latest_version_parts[2] && version_parts[2] < latest_version_parts[2]
             "#{curr_tokens[0..1]&.join('.')}.#{Util::BashColor.green(curr_tokens[2..]&.join('.'))}"
-          elsif curr_tokens[3] && curr_tokens[3] < target_tokens[3]
+          elsif version_parts[3] && latest_version_parts[3] && version_parts[3] < latest_version_parts[3]
             "#{curr_tokens[0..2]&.join('.')}.#{Util::BashColor.green(curr_tokens[3])}"
           else
             @curr

data/lib/package/audit/formatter/version_date.rb

@@ -1,5 +1,5 @@
-require_relative '../const'
 require_relative './base'
+require_relative '../const/time'
 require_relative '../util/bash_color'
 
 require 'time'
@@ -16,7 +16,7 @@ module Package
         def format
           seconds_since_date = (Time.now - Time.parse(@date)).to_i
 
-          if seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
+          if seconds_since_date >= Const::Time::SECONDS_ELAPSED_TO_BE_OUTDATED
             Util::BashColor.yellow(@date)
           else
             @date

data/lib/package/audit/formatter/vulnerability.rb

@@ -16,7 +16,7 @@ module Package
             case vulnerability
             when Enum::VulnerabilityType::UNKNOWN, Enum::VulnerabilityType::CRITICAL, Enum::VulnerabilityType::HIGH
               Util::BashColor.red(vulnerability)
-            when Enum::VulnerabilityType::MEDIUM
+            when Enum::VulnerabilityType::MEDIUM, Enum::VulnerabilityType::MODERATE
               Util::BashColor.orange(vulnerability)
             when Enum::VulnerabilityType::LOW
               Util::BashColor.yellow(vulnerability)

data/lib/package/audit/npm/node_collection.rb

@@ -0,0 +1,64 @@
+require_relative './yarn_lock_parser'
+require_relative './npm_meta_data'
+require_relative './vulnerability_finder'
+require_relative '../duplicate_package_merger'
+
+module Package
+  module Audit
+    module Npm
+      class NodeCollection
+        PACKAGE_JSON = 'package.json'
+        PACKAGE_LOCK = 'package-lock.json'
+        YARN_LOCK = 'yarn.lock'
+
+        def initialize(dir)
+          @dir = dir
+        end
+
+        def all
+          implicit_pkgs = fetch_from_lock_file
+          vulnerable_pkgs = VulnerabilityFinder.new(implicit_pkgs).run
+          pkgs = NpmMetaData.new(vulnerable_pkgs + implicit_pkgs).fetch.filter(&:risk?)
+          DuplicatePackageMerger.new(pkgs).run
+        end
+
+        def deprecated
+          implicit_pkgs = fetch_from_lock_file
+          pkgs = NpmMetaData.new(implicit_pkgs).fetch.filter(&:deprecated?)
+          DuplicatePackageMerger.new(pkgs).run
+        end
+
+        def outdated
+          implicit_pkgs = fetch_from_lock_file
+          pkgs = NpmMetaData.new(implicit_pkgs).fetch.filter(&:outdated?)
+          DuplicatePackageMerger.new(pkgs).run
+        end
+
+        def vulnerable
+          implicit_pkgs = fetch_from_lock_file
+          vulnerable_pkgs = VulnerabilityFinder.new(implicit_pkgs).run
+          pkgs = NpmMetaData.new(vulnerable_pkgs).fetch
+          DuplicatePackageMerger.new(pkgs).run
+        end
+
+        private
+
+        def fetch_from_package_json
+          package_json = JSON.parse(File.read("#{@dir}/#{PACKAGE_JSON}"), symbolize_names: true)
+          default_deps = package_json[:dependencies] || {}
+          dev_deps = package_json[:devDependencies] || {}
+          [default_deps, dev_deps]
+        end
+
+        def fetch_from_lock_file
+          default_deps, dev_deps = fetch_from_package_json
+          if File.exist?("#{@dir}/#{YARN_LOCK}")
+            YarnLockParser.new("#{@dir}/#{YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
+          else
+            []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/npm/npm_meta_data.rb

@@ -0,0 +1,41 @@
+require 'json'
+require 'net/http'
+
+module Package
+  module Audit
+    module Npm
+      class NpmMetaData
+        REGISTRY_URL = 'https://registry.npmjs.org'
+
+        def initialize(packages)
+          @packages = packages
+        end
+
+        def fetch
+          threads = @packages.map do |package|
+            Thread.new do
+              response = Net::HTTP.get_response(URI.parse("#{REGISTRY_URL}/#{package.name}"))
+              raise response.error unless response.is_a?(Net::HTTPSuccess)
+
+              json_package = JSON.parse(response.body, symbolize_names: true)
+              update_meta_data(package, json_package)
+            end
+          end
+          threads.each(&:join)
+          @packages
+        end
+
+        private
+
+        def update_meta_data(package, json_data)
+          latest_version = json_data[:'dist-tags'][:latest]
+          version_date = json_data[:time][package.version.to_sym]
+          latest_version_date = json_data[:time][latest_version.to_sym]
+          package.update version_date: Time.parse(version_date).strftime('%Y-%m-%d'),
+                         latest_version: latest_version,
+                         latest_version_date: Time.parse(latest_version_date).strftime('%Y-%m-%d')
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/npm/vulnerability_finder.rb

@@ -0,0 +1,43 @@
+require_relative '../const/cmd'
+require_relative '../enum/vulnerability_type'
+
+module Package
+  module Audit
+    module Npm
+      class VulnerabilityFinder
+        AUDIT_ADVISORY_REGEX = /^{"type":"auditAdvisory".*$/
+
+        def initialize(pkgs)
+          @pkg_hash = pkgs.to_h { |pkg| [pkg.name, pkg] }
+          @vuln_hash = {}
+        end
+
+        def run
+          json_string_lines = `#{Const::Cmd::YARN_AUDIT_JSON}`
+          array = json_string_lines.scan(AUDIT_ADVISORY_REGEX)
+
+          vulnerability_json_array = JSON.parse("[#{array.join(',')}]", symbolize_names: true)
+          vulnerability_json_array.each do |vulnerability_json|
+            update_meta_data(vulnerability_json)
+          end
+          @vuln_hash.values
+        end
+
+        private
+
+        def update_meta_data(json) # rubocop:disable Metrics/AbcSize
+          parent_name = json[:data][:resolution][:path].split('>').first
+          advisory = json[:data][:advisory]
+          name = advisory[:module_name]
+          version = advisory[:findings][0][:version]
+          full_name = "#{name}@#{version}"
+          vulnerability = advisory[:severity] || Enum::VulnerabilityType::UNKNOWN
+
+          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
+          @vuln_hash[full_name].update groups: @pkg_hash[parent_name].groups
+        end
+      end
+    end
+  end
+end