RubyGems - package-audit - Versions diffs - 0.6.2 → 0.7.0 - Mend

package-audit 0.6.2 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/lib/package/audit/formatter/version.rb +2 -0
data/lib/package/audit/formatter/version_date.rb +2 -0
data/lib/package/audit/npm/node_collection.rb +8 -6
data/lib/package/audit/npm/npm_meta_data.rb +90 -32
data/lib/package/audit/npm/vulnerability_finder.rb +22 -7
data/lib/package/audit/npm/yarn_lock_parser.rb +143 -23
data/lib/package/audit/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cca016948e4ab3d4643c8e7c7b6bca064873a0b390709d6318d899ee03464c36
-  data.tar.gz: '037543298033670ef8cd62ceb31a021389e55b0baf634117777018933d89b6b3'
+  metadata.gz: 117d0d8171512241e50a454b4d20a7282406719ad0a64f0805588152e24afd35
+  data.tar.gz: 11c35e745e5a07ba2321cd8c301136e45e5daf3a1a03ab07d63cb5de7b860099
 SHA512:
-  metadata.gz: 494ad5afd212b57e596fd599b8b57f86453c3cb5f988d4ae88a572c685a83f8ba4c39c750353e962453d98ba3336d30ecf1da729ffad4c26cfce418c049e56eb
-  data.tar.gz: 6088d06e5a5ccbf73d9ecd3e3fbcd130030dbc47ca861a910f56ba21850ae467eda5f7a4b0064200d18bb1d7fe461f7db561f64f471b0c747a25d6bc18ec9115
+  metadata.gz: f1a2add78503fbbba1af45a7e311a69b9cc5e1e17de4bff0e3707267a988ec65697b8a6cf1aab996be67ca6629939555dcfc1728ba9fd16afb524ef8b7083f8a
+  data.tar.gz: 4ff3cdd346772bc543ea0aa5b57bdb1eb6c983a1a2fdc43c78b29f9b029e3615b91c44b0caf6df3a68cd0ee0c6da64acfc6083b2ac023464f74e9fad226be41f

data/lib/package/audit/formatter/version.rb CHANGED Viewed

@@ -12,6 +12,8 @@ module Package
         end
         def format # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          return @curr if @target.nil? # No latest version available
           version_parts = @curr.split('.').map(&:to_i)
           latest_version_parts = @target.split('.').map(&:to_i)
           curr_tokens = @curr.split('.')

data/lib/package/audit/formatter/version_date.rb CHANGED Viewed

@@ -14,6 +14,8 @@ module Package
         end
         def format
+          return 'unknown' if @date.nil? # Handle private packages
           seconds_since_date = (Time.now - Time.parse(@date)).to_i
           if seconds_since_date >= Const::Time::SECONDS_ELAPSED_TO_BE_OUTDATED

data/lib/package/audit/npm/node_collection.rb CHANGED Viewed

@@ -55,15 +55,16 @@ module Package
         private
         def fetch_from_package_json
-          package_json = JSON.parse(File.read("#{@dir}/#{Const::File::PACKAGE_JSON}"), symbolize_names: true)
-          default_deps = package_json[:dependencies] || {}
-          dev_deps = package_json[:devDependencies] || {}
+          package_json = JSON.parse(File.read("#{@dir}/#{Const::File::PACKAGE_JSON}"))
+          default_deps = package_json['dependencies'] || {}
+          dev_deps = package_json['devDependencies'] || {}
+          resolutions = package_json['resolutions'] || {}
           # Filter out local dependencies before processing
           default_deps = filter_local_dependencies(default_deps)
           dev_deps = filter_local_dependencies(dev_deps)
-          [default_deps, dev_deps]
+          [default_deps, dev_deps, resolutions]
         end
         def filter_local_dependencies(dependencies)
@@ -79,9 +80,10 @@ module Package
         end
         def fetch_from_lock_file
-          default_deps, dev_deps = fetch_from_package_json
+          default_deps, dev_deps, resolutions = fetch_from_package_json
           if File.exist?("#{@dir}/#{Const::File::YARN_LOCK}")
-            YarnLockParser.new("#{@dir}/#{Const::File::YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
+            YarnLockParser.new("#{@dir}/#{Const::File::YARN_LOCK}").fetch(default_deps || {}, dev_deps || {},
+                                                                          resolutions || {})
           else
             []
           end

data/lib/package/audit/npm/npm_meta_data.rb CHANGED Viewed

@@ -7,42 +7,27 @@ module Package
     module Npm
       class NpmMetaData
         REGISTRY_URL = 'https://registry.npmjs.org'
+        BATCH_SIZE = 10 # Process 10 packages at a time
+        MAX_RETRIES = 3 # Maximum number of retries per request
+        INITIAL_RETRY_DELAY = 1 # Initial retry delay in seconds
+        TIMEOUT = 10 # Timeout in seconds
         def initialize(packages)
           @packages = packages
         end
-        def fetch # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength
-          threads = @packages.map do |package|
-            Thread.new do
-              response = Net::HTTP.get_response(URI.parse("#{REGISTRY_URL}/#{package.name}"))
-              raise "Unable to fetch meta data for #{package.name} from #{REGISTRY_URL} (#{response.class})" unless
-                response.is_a?(Net::HTTPSuccess)
-              json_package = JSON.parse(response.body, symbolize_names: true)
-              update_meta_data(package, json_package)
-            rescue Net::TimeoutError, Net::OpenTimeout, Net::ReadTimeout => e
-              warn "Warning: Network timeout while fetching metadata for #{package.name}: #{e.message}"
-              Thread.current[:exception] = e
-            rescue SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e
-              warn "Warning: Network error while fetching metadata for #{package.name}: #{e.message}"
-              Thread.current[:exception] = e
-            rescue StandardError => e
-              Thread.current[:exception] = e
-            end
-          end
+        def fetch # rubocop:disable Metrics/MethodLength
           network_errors = []
-          threads.each do |thread|
-            thread.join
-            next unless thread[:exception]
-            case thread[:exception]
-            when Net::TimeoutError, Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH # rubocop:disable Layout/LineLength
-              network_errors << thread[:exception]
-            else
-              raise thread[:exception]
+          @packages.each_slice(BATCH_SIZE) do |batch|
+            threads = batch.map do |package|
+              Thread.new do
+                fetch_package_metadata(package, network_errors)
+              end
             end
+            threads.each(&:join)
+            sleep(0.1) # Small delay between batches to avoid overwhelming the server
           end
           unless network_errors.empty?
@@ -55,10 +40,83 @@ module Package
         private
+        def fetch_package_metadata(package, network_errors, retry_count = 0)
+          response = make_request_with_retry(package.name, retry_count)
+          return if response.nil?
+          json_package = JSON.parse(response.body, symbolize_names: true)
+          update_meta_data(package, json_package)
+        rescue StandardError => e
+          handle_error(package, e, network_errors)
+        end
+        def make_request_with_retry(package_name, retry_count)
+          response = make_request(package_name)
+          return nil if response.is_a?(Net::HTTPNotFound) # Skip 404s - likely private packages
+          raise "Unable to fetch meta data for #{package_name} from #{REGISTRY_URL} (#{response.class})" unless
+            response.is_a?(Net::HTTPSuccess)
+          response
+        rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+          return nil if retry_count >= MAX_RETRIES
+          retry_after_delay(retry_count)
+          retry_count += 1
+          retry
+        end
+        def handle_error(package, error, network_errors)
+          # Don't warn about 404s for private packages
+          return if error.is_a?(RuntimeError) && error.message.include?('(Net::HTTPNotFound)')
+          warn "Warning: Error while fetching metadata for #{package.name}: #{error.message}"
+          network_errors << error
+        end
+        def make_request(package_name)
+          uri = URI(REGISTRY_URL)
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.read_timeout = TIMEOUT
+          http.open_timeout = TIMEOUT
+          path = "/#{package_name}"
+          http.get(path)
+        end
+        def retry_after_delay(retry_count)
+          delay = INITIAL_RETRY_DELAY * (2**retry_count) # Exponential backoff
+          sleep(delay)
+        end
         def update_meta_data(package, json_data)
-          latest_version = json_data[:'dist-tags'][:latest]
-          version_date = json_data[:time][package.version.to_sym]
-          latest_version_date = json_data[:time][latest_version.to_sym]
+          # No early return - let's try to get metadata even if version is unknown
+          latest_version = find_latest_version(json_data)
+          return unless latest_version
+          dates = find_version_dates(json_data, package.version, latest_version)
+          return unless dates
+          update_package_metadata(package, latest_version, dates)
+        end
+        def find_latest_version(json_data)
+          json_data[:'dist-tags']&.[](:latest)
+        end
+        def find_version_dates(json_data, version, latest_version)
+          version_date = json_data[:time]&.[](version.to_sym)
+          latest_version_date = json_data[:time]&.[](latest_version.to_sym)
+          return unless version_date || latest_version_date # Return if both dates are missing
+          [version_date || latest_version_date, latest_version_date || version_date]
+        end
+        def update_package_metadata(package, latest_version, dates)
+          version_date, latest_version_date = dates
           package.update version_date: Time.parse(version_date).strftime('%Y-%m-%d'),
                          latest_version: latest_version,
                          latest_version_date: Time.parse(latest_version_date).strftime('%Y-%m-%d')

data/lib/package/audit/npm/vulnerability_finder.rb CHANGED Viewed

@@ -32,17 +32,32 @@ module Package
         private
-        def update_meta_data(json) # rubocop:disable Metrics/AbcSize
-          parent_name = json[:data][:resolution][:path].split('>').first
+        def update_meta_data(json)
+          resolution_path = json.dig(:data, :resolution, :path)
+          return unless resolution_path # Skip if no resolution path (private package)
+          parent_name = resolution_path.split('>').first
           advisory = json[:data][:advisory]
-          name = advisory[:module_name]
-          version = advisory[:findings][0][:version]
+          package_info = extract_package_info(advisory)
+          update_vulnerability_info(package_info, parent_name, advisory[:severity])
+        end
+        def extract_package_info(advisory)
+          {
+            name: advisory[:module_name],
+            version: advisory[:findings][0][:version]
+          }
+        end
+        def update_vulnerability_info(package_info, parent_name, severity)
+          name = package_info[:name]
+          version = package_info[:version]
           full_name = "#{name}@#{version}"
-          vulnerability = advisory[:severity] || Enum::VulnerabilityType::UNKNOWN
+          vulnerability = severity || Enum::VulnerabilityType::UNKNOWN
-          @vuln_hash[full_name] = Package.new(name, version, 'node') unless @vuln_hash.key? full_name
+          @vuln_hash[full_name] ||= Package.new(name, version, 'node')
           @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
-          @vuln_hash[full_name].update groups: @pkg_hash[parent_name].groups.map(&:to_s)
+          @vuln_hash[full_name].update groups: @pkg_hash[parent_name]&.groups&.map(&:to_s) || []
         end
       end
     end

data/lib/package/audit/npm/yarn_lock_parser.rb CHANGED Viewed

@@ -9,45 +9,127 @@ module Package
           @yarn_lock_path = yarn_lock_path
         end
-        def fetch(default_deps, dev_deps) # rubocop:disable Metrics/MethodLength
-          pkgs = []
-          default_deps.merge(dev_deps).each do |dep_name, expected_version|
-            pkg_block = fetch_package_block(dep_name, expected_version)
-            version = fetch_package_version(dep_name, pkg_block)
-            pks = Package.new(dep_name.to_s, version, 'node')
-            pks.update groups: if dev_deps.key?(dep_name)
-                                 [Enum::Group::DEV]
-                               else
-                                 [Enum::Group::DEFAULT, Enum::Group::DEV]
-                               end
-            pkgs << pks
+        def fetch(default_deps, dev_deps, resolutions = {})
+          default_deps.merge(dev_deps).map do |dep_name, expected_version|
+            process_package(dep_name, expected_version, dev_deps, resolutions)
           end
-          pkgs
         end
         private
-        def fetch_package_block(dep_name, expected_version)
-          regex = regex_pattern_for_package(dep_name, expected_version)
-          blocks = @yarn_lock_file.match(regex)
-          if blocks.nil? || blocks[0].nil?
-            raise NoMatchingPatternError, "Unable to find \"#{dep_name}\" in #{@yarn_lock_path}"
+        def process_package(dep_name, expected_version, dev_deps, resolutions)
+          version_to_check = get_version_to_check(dep_name, expected_version, resolutions)
+          pkg_block = fetch_package_block(dep_name, version_to_check)
+          version = fetch_package_version(dep_name, pkg_block)
+          create_package(dep_name, version, dev_deps)
+        end
+        def get_version_to_check(dep_name, expected_version, resolutions)
+          version_to_check = resolutions[dep_name] || expected_version
+          return version_to_check unless version_to_check.start_with?('patch:')
+          patch_version = version_to_check.match(/patch:.*?@npm%3A([\d.-]+)#/)&.captures&.[](0)
+          patch_version || version_to_check
+        end
+        def create_package(dep_name, version, dev_deps)
+          pks = Package.new(dep_name.to_s, version, 'node')
+          pks.update groups: package_groups(dep_name, dev_deps)
+          pks
+        end
+        def package_groups(dep_name, dev_deps)
+          if dev_deps.key?(dep_name)
+            [Enum::Group::DEV]
+          else
+            [Enum::Group::DEFAULT, Enum::Group::DEV]
           end
+        end
+        def fetch_package_block(dep_name, expected_version)
+          blocks = find_package_blocks(dep_name)
+          raise NoMatchingPatternError, "Unable to find \"#{dep_name}\" in #{@yarn_lock_path}" if blocks.empty?
+          find_matching_block(blocks, dep_name, expected_version)
+        end
+        def find_package_blocks(dep_name)
+          block_pattern = build_block_pattern(dep_name)
+          @yarn_lock_file.scan(block_pattern)
+        end
+        def build_block_pattern(dep_name)
+          /
+            ^["']?                                # Start of line with optional quote
+            (?:[^"\n]+,\s*)*                     # Any previous entries in a comma-separated list
+            (?:patch:)?                          # Optional patch prefix
+            #{Regexp.escape(dep_name)}@[^:\n]+   # Our package name and version
+            (?:[^"\n]*,\s*[^"\n]+)*             # Any following entries
+            ["']?:.*?                            # End quote and colon, followed by the rest
+            (?:resolution:.*?)?                  # Optional resolution field
+            (?=\n["']|\n\s*\n|\z)               # Until next entry or end of file
+          /mx
+        end
-          blocks[0] || ''
+        def find_matching_block(blocks, dep_name, expected_version)
+          version_pattern = build_version_pattern(dep_name, expected_version)
+          blocks.find { |block| block.match?(version_pattern) } || blocks.first
+        end
+        def build_version_pattern(dep_name, expected_version)
+          /
+            (?:patch:)?#{Regexp.escape(dep_name)}@
+            (?:npm:)?#{Regexp.escape(expected_version)}["']?(?:,|:)
+          /x
         end
         def fetch_package_version(dep_name, pkg_block)
-          version = pkg_block.match(/version"?\s*"(.*?)"/)&.captures&.[](0)
+          # Try different version formats:
+          # 1. version: "1.2.3"    - quoted version
+          # 2. version: 1.2.3      - unquoted version
+          # 3. "pkg@1.2.3":        - version in package spec
+          # 4. "pkg@npm:1.2.3":    - version with npm prefix
+          # Try to find version in this order:
+          # 1. resolution field (for overrides)
+          # 2. version field (both quoted and unquoted)
+          # 3. package spec
+          version = extract_version_from_block(dep_name, pkg_block)
           if version.nil?
             raise NoMatchingPatternError,
                   "Unable to find the version of \"#{dep_name}\" in #{@yarn_lock_path}"
           end
-          version || '0.0.0.0'
+          version || 'unknown'
+        end
+        def extract_version_from_block(dep_name, pkg_block)
+          find_resolution_version(dep_name, pkg_block) ||
+            find_version_field(pkg_block) ||
+            find_spec_version(dep_name, pkg_block)
+        end
+        def find_resolution_version(dep_name, pkg_block)
+          pattern = /
+            resolution:.*?["']#{Regexp.escape(dep_name)}@
+            (?:npm:)?(?:patch:#{Regexp.escape(dep_name)}@npm%3A)?
+            ([\d.-]+(?:-(?:beta|rc|dev)\.\d+(?:\.\d+)?)?)
+            (?:&hash=[a-f0-9]+)?["']
+          /x
+          pkg_block.match(pattern)&.captures&.[](0)
+        end
+        def find_version_field(pkg_block)
+          pattern = /version["']?\s*["']?([\d.-]+(?:-(?:beta|rc|dev)\.\d+(?:\.\d+)?)?)(?:&hash=[a-f0-9]+)?["']?(?:\s|$)/
+          pkg_block.match(pattern)&.captures&.[](0)
+        end
+        def find_spec_version(dep_name, pkg_block)
+          pattern = %r{^.*?#{Regexp.escape(dep_name)}@(?:npm:|https://[^#]+#)?(?:patch:#{Regexp.escape(dep_name)}@npm%3A)?(?:v)?([\d.-]+(?:-(?:beta|rc|dev)\.\d+(?:\.\d+)?)?)(?:&hash=[a-f0-9]+)?["']?(?:,|\s*:)}m
+          pkg_block.match(pattern)&.captures&.[](0)
         end
-        def regex_pattern_for_package(dep_name, version)
+        def regex_pattern_for_package(dep_name, _version)
           # assume the package name is prefixed by a space, a quote or be the first thing on the line
           # there can be multiple comma-separated versions on the same line with or without quotes
           # Here are some examples of strings that would be matched:
@@ -55,7 +137,45 @@ module Package
           # - lodash@^4.17.15, lodash@^4.17.20:
           # - "@adobe/css-tools@^4.0.1":
           # - "@babel/runtime@^7.23.1", "@babel/runtime@^7.9.2":
-          /(?:^|[ "])#{Regexp.escape(dep_name)}@#{Regexp.escape(version)}.*?:.*?(\n\n|\z)/m
+          # For resolutions (exact versions):
+          # - "@apollo/client@3.12.5":
+          # For both regular dependencies and resolutions
+          # The package might appear in different formats:
+          # 1. As a dependency spec: "@apollo/client@^3.14.0"
+          # 2. As a resolved version: "@apollo/client@3.12.5"
+          # 3. As part of a multi-version spec: "@apollo/client@^3.14.0, @apollo/client@^3.12.5"
+          # 4. With npm prefix: "@apollo/client@npm:3.12.5"
+          # 5. In resolution field: "resolution: \"@apollo/client@npm:3.12.5\""
+          escaped_name = Regexp.escape(dep_name)
+          # Look for any entry that starts with our package name and includes the version
+          # We match the entire block and let fetch_package_version handle version extraction
+          # The pattern matches:
+          # 1. Package name at start of line or after quote
+          # 2. Everything up to the next double newline or end of file
+          # 3. Handles both compact and expanded formats with dependencies
+          # Match both old and new yarn.lock formats:
+          # Old: pkg@^1.0.0:
+          # New: "pkg@^1.0.0":
+          # The pattern matches the entire block including any indented lines
+          # We look for:
+          # 1. Start of line
+          # 2. Optional quote
+          # 3. Package name
+          # 4. @ symbol
+          # 5. Version spec (anything up to : or ")
+          # 6. Optional quote and colon
+          # 7. Rest of the block until next entry or end of file
+          # The pattern needs to match:
+          # 1. Basic format: pkg@^1.0.0:
+          # 2. Quoted format: "pkg@^1.0.0":
+          # 3. Multiple specs: "pkg@1.0.0", "pkg@npm:1.0.0":
+          # 4. Scoped packages: "@scope/pkg@1.0.0":
+          # Match any of:
+          # 1. Basic: pkg@^1.0.0:
+          # 2. Quoted: "pkg@^1.0.0":
+          # 3. Multiple: "pkg@1.0.0", "pkg@npm:1.0.0":
+          # 4. Scoped: "@scope/pkg@1.0.0":
+          /^(?:["']?#{escaped_name}@[^,\n:"]+(?:,\s*["']#{escaped_name}@[^,\n:"]+)*["']?:.*?)(?=\n["']|\n\s*\n|\z)/m
         end
       end
     end

data/lib/package/audit/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Package
   module Audit
-    VERSION = '0.6.2'
+    VERSION = '0.7.0'
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: package-audit
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - Vadim Kononov
@@ -111,7 +111,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: A helper tool to find outdated, deprecated and vulnerable dependencies.
 test_files: []