@mongodb-js/sbom-tools 0.2.3 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -7
- package/dist/commands/generate-third-party-notices.d.ts.map +1 -1
- package/dist/commands/generate-third-party-notices.js +19 -12
- package/dist/commands/generate-third-party-notices.js.map +1 -1
- package/dist/commands/generate-vulnerability-report.d.ts +4 -1
- package/dist/commands/generate-vulnerability-report.d.ts.map +1 -1
- package/dist/commands/generate-vulnerability-report.js +55 -74
- package/dist/commands/generate-vulnerability-report.js.map +1 -1
- package/dist/commands/scan-node-js.d.ts +1 -1
- package/dist/commands/scan-node-js.d.ts.map +1 -1
- package/dist/commands/scan-node-js.js +7 -3
- package/dist/commands/scan-node-js.js.map +1 -1
- package/dist/jira.d.ts +4 -0
- package/dist/jira.d.ts.map +1 -0
- package/dist/jira.js +161 -0
- package/dist/jira.js.map +1 -0
- package/dist/{snyk-vulnerability.d.ts → vulnerability.d.ts} +35 -15
- package/dist/vulnerability.d.ts.map +1 -0
- package/dist/vulnerability.js +144 -0
- package/dist/vulnerability.js.map +1 -0
- package/package.json +2 -2
- package/dist/snyk-vulnerability.d.ts.map +0 -1
- package/dist/snyk-vulnerability.js +0 -87
- package/dist/snyk-vulnerability.js.map +0 -1
package/README.md
CHANGED
|
@@ -58,6 +58,15 @@ dependencies.json
|
|
|
58
58
|
|
|
59
59
|
Outputs a markdown report of vulnerabilities given one or more `dependencies.json` files and the output of one or more multiple `snyk test`.
|
|
60
60
|
|
|
61
|
+
If `--create-jira-issues` is set then each vulnerability that is not ignored will be also reported as a jira issue.
|
|
62
|
+
|
|
63
|
+
The jira issue creation must be configured setting the following environment variables:
|
|
64
|
+
|
|
65
|
+
- `JIRA_BASE_URL` (required): The base url of the jira api (excluded the `/rest/api/...`).
|
|
66
|
+
- `JIRA_API_TOKEN` (required): A jira PAT.
|
|
67
|
+
- `JIRA_PROJECT` (required): The project used to create the ticket.
|
|
68
|
+
- `JIRA_VULNERABILITY_BUILD_INFO`: Additional build info added to the ticket description (for example the commit id).
|
|
69
|
+
|
|
61
70
|
#### Usage
|
|
62
71
|
|
|
63
72
|
```
|
|
@@ -67,19 +76,19 @@ Generate vulnerabilities report
|
|
|
67
76
|
|
|
68
77
|
Options:
|
|
69
78
|
--dependencies <paths> Comma-separated list of dependency files (default: [])
|
|
70
|
-
--snyk-reports <paths>
|
|
79
|
+
--snyk-reports <paths> Comma-separated list of snyk
|
|
71
80
|
result files (default: [])
|
|
72
|
-
--fail-on [level]
|
|
81
|
+
--fail-on [level] Fail on the specified severity
|
|
73
82
|
level
|
|
74
|
-
|
|
75
|
-
-h, --help
|
|
83
|
+
--create-jira-issues Create Jira issues for the vulnerabilities found
|
|
84
|
+
-h, --help display help for command
|
|
76
85
|
```
|
|
77
86
|
|
|
78
87
|
**Example output:**
|
|
79
88
|
|
|
80
89
|
```md
|
|
81
|
-
| dep@version | id | score | fixed in |
|
|
82
|
-
| ------------ | --------------------- | ------------ | -------- | -------------------- |
|
|
90
|
+
| dep@version | id | score | fixed in | ignored |
|
|
91
|
+
| ------------ | --------------------- | ------------ | -------- | -------------------- |
|
|
83
92
|
| jquery@2.2.4 | SNYK-JS-JQUERY-567880 | 6.5 (Medium) | 3.5.0 | - |
|
|
84
93
|
| got@10.7.0 | SNYK-JS-GOT-2932019 | 5.4 (Medium) | 11.8.5 | Ignored. Reason: ... |
|
|
85
94
|
```
|
|
@@ -143,8 +152,12 @@ Options:
|
|
|
143
152
|
|
|
144
153
|
```json
|
|
145
154
|
{
|
|
155
|
+
// remove orgs and packages from the report
|
|
146
156
|
"ignoredOrgs": ["@mongodb-js", "@leafygreen-ui", "@mongosh"],
|
|
147
|
-
"ignoredPackages": [],
|
|
157
|
+
"ignoredPackages": ["package1"],
|
|
158
|
+
// include packages in the report, just skip validation
|
|
159
|
+
"doNotValidatePackages": ["package2"],
|
|
160
|
+
"additionalAllowedLicenses": ["PYTHON-2.0"],
|
|
148
161
|
"licenseOverrides": {
|
|
149
162
|
"@segment/loosely-validate-event@2.0.0": "MIT",
|
|
150
163
|
"component-event@0.1.4": "MIT",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generate-third-party-notices.d.ts","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"generate-third-party-notices.d.ts","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoHpC,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,OAAO,EAAE,GAClB,MAAM,CAuDR;AAmDD,wBAAsB,uBAAuB,CAAC,EAC5C,WAAW,EACX,eAAe,EACf,UAAU,EACV,WAAW,GACZ,EAAE;IACD,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACxC,GAAG,OAAO,CAAC,IAAI,CAAC,CAShB;AAMD,eAAO,MAAM,OAAO,SAoBhB,CAAC"}
|
|
@@ -33,7 +33,7 @@ function checkOverrides(packagesToCheck, dependencies) {
|
|
|
33
33
|
function id(pkg) {
|
|
34
34
|
return crypto_1.default
|
|
35
35
|
.createHash('sha256')
|
|
36
|
-
.update(
|
|
36
|
+
.update(packageNameAndVersion(pkg))
|
|
37
37
|
.digest('hex');
|
|
38
38
|
}
|
|
39
39
|
function normalizeLicenseProperty(license) {
|
|
@@ -64,8 +64,8 @@ function licenseSpdx(pkg) {
|
|
|
64
64
|
function indent(input, depth) {
|
|
65
65
|
return input.replace(/^/gm, ' '.repeat(depth));
|
|
66
66
|
}
|
|
67
|
-
function validatePackage(pkg) {
|
|
68
|
-
return ALLOWED_LICENSES.some((allowedLicense) => {
|
|
67
|
+
function validatePackage(pkg, config) {
|
|
68
|
+
return [...ALLOWED_LICENSES, ...config.additionalAllowedLicenses].some((allowedLicense) => {
|
|
69
69
|
const spdx = licenseSpdx(pkg);
|
|
70
70
|
try {
|
|
71
71
|
return (0, spdx_satisfies_1.default)(allowedLicense, spdx);
|
|
@@ -76,14 +76,19 @@ function validatePackage(pkg) {
|
|
|
76
76
|
});
|
|
77
77
|
}
|
|
78
78
|
async function readConfig(configPath) {
|
|
79
|
-
var _a, _b, _c;
|
|
79
|
+
var _a, _b, _c, _d, _e;
|
|
80
80
|
const originalConfig = JSON.parse(await fs_1.promises.readFile(configPath, 'utf-8'));
|
|
81
81
|
return Promise.resolve({
|
|
82
82
|
ignoredOrgs: [...((_a = originalConfig.ignoredOrgs) !== null && _a !== void 0 ? _a : [])],
|
|
83
83
|
ignoredPackages: [...((_b = originalConfig.ignoredPackages) !== null && _b !== void 0 ? _b : [])],
|
|
84
84
|
licenseOverrides: { ...((_c = originalConfig.licenseOverrides) !== null && _c !== void 0 ? _c : {}) },
|
|
85
|
+
doNotValidatePackages: [...((_d = originalConfig.doNotValidatePackages) !== null && _d !== void 0 ? _d : [])],
|
|
86
|
+
additionalAllowedLicenses: [
|
|
87
|
+
...((_e = originalConfig.additionalAllowedLicenses) !== null && _e !== void 0 ? _e : []),
|
|
88
|
+
],
|
|
85
89
|
});
|
|
86
90
|
}
|
|
91
|
+
const packageNameAndVersion = (pkg) => `${pkg.name}@${pkg.version}`;
|
|
87
92
|
function printLicenseInformation(productName, packages) {
|
|
88
93
|
var _a, _b;
|
|
89
94
|
let output = `\
|
|
@@ -135,8 +140,10 @@ ${packages
|
|
|
135
140
|
return output;
|
|
136
141
|
}
|
|
137
142
|
exports.printLicenseInformation = printLicenseInformation;
|
|
138
|
-
function validatePackages(packages) {
|
|
139
|
-
const invalidPackages = packages
|
|
143
|
+
function validatePackages(packages, config) {
|
|
144
|
+
const invalidPackages = packages
|
|
145
|
+
.filter((pkg) => !config.doNotValidatePackages.includes(packageNameAndVersion(pkg)))
|
|
146
|
+
.filter((pkg) => !validatePackage(pkg, config));
|
|
140
147
|
if (invalidPackages.length) {
|
|
141
148
|
throw new Error([
|
|
142
149
|
`Generation failed, found ${invalidPackages.length} invalid packages:`,
|
|
@@ -145,19 +152,19 @@ function validatePackages(packages) {
|
|
|
145
152
|
}
|
|
146
153
|
}
|
|
147
154
|
function applyConfig(dependencies, config) {
|
|
148
|
-
var _a, _b;
|
|
149
155
|
checkOverrides([
|
|
150
|
-
...
|
|
151
|
-
...
|
|
156
|
+
...config.ignoredPackages,
|
|
157
|
+
...config.doNotValidatePackages,
|
|
158
|
+
...Object.keys(config.licenseOverrides),
|
|
152
159
|
], dependencies);
|
|
153
160
|
return dependencies
|
|
154
161
|
.filter((pkg) => !(config.ignoredOrgs || []).some((org) => pkg.name.startsWith(org + '/')))
|
|
155
|
-
.filter((pkg) => !(config.ignoredPackages || []).includes(
|
|
162
|
+
.filter((pkg) => !(config.ignoredPackages || []).includes(packageNameAndVersion(pkg)))
|
|
156
163
|
.map((pkg) => {
|
|
157
164
|
var _a;
|
|
158
165
|
return ({
|
|
159
166
|
...pkg,
|
|
160
|
-
license: (_a = (config.licenseOverrides || {})[
|
|
167
|
+
license: (_a = (config.licenseOverrides || {})[packageNameAndVersion(pkg)]) !== null && _a !== void 0 ? _a : pkg.license,
|
|
161
168
|
});
|
|
162
169
|
});
|
|
163
170
|
}
|
|
@@ -165,7 +172,7 @@ async function generate3rdPartyNotices({ productName, dependencyFiles, configPat
|
|
|
165
172
|
const config = await readConfig(configPath !== null && configPath !== void 0 ? configPath : 'licenses.json');
|
|
166
173
|
const allPackages = await (0, load_dependency_files_1.loadDependencyFiles)(dependencyFiles);
|
|
167
174
|
const packages = applyConfig(allPackages, config);
|
|
168
|
-
validatePackages(packages);
|
|
175
|
+
validatePackages(packages, config);
|
|
169
176
|
const markdown = printLicenseInformation(productName, packages);
|
|
170
177
|
(printResult !== null && printResult !== void 0 ? printResult : console.info)(markdown);
|
|
171
178
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generate-third-party-notices.js","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAC5B,oEAA2C;AAE3C,2BAAoC;AAGpC,oEAA+D;AAC/D,yCAAoC;
|
|
1
|
+
{"version":3,"file":"generate-third-party-notices.js","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAC5B,oEAA2C;AAE3C,2BAAoC;AAGpC,oEAA+D;AAC/D,yCAAoC;AAUpC,MAAM,gBAAgB,GAAG;IACvB,KAAK;IACL,MAAM;IACN,cAAc;IACd,cAAc;IACd,cAAc;IACd,YAAY;IACZ,KAAK;IACL,WAAW;IACX,OAAO;IACP,SAAS;IACT,WAAW;CACZ,CAAC;AAEF,SAAS,cAAc,CAAC,eAAyB,EAAE,YAAuB;IACxE,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,CAC9D,CAAC;IAEF,KAAK,MAAM,WAAW,IAAI,eAAe,EAAE;QACzC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;YAC7B,MAAM,IAAI,KAAK,CACb,gBAAgB,WAAW,mHAAmH,CAC/I,CAAC;SACH;KACF;AACH,CAAC;AAGD,SAAS,EAAE,CAAC,GAAY;IACtB,OAAO,gBAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;SAClC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAkC;IAClE,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;QAC/B,OAAO,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;KAC3B;IAED,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;QAC/B,OAAO,OAAO,CAAC;KAChB;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,GAAY;;IAC/B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAA,GAAG,CAAC,QAAQ,mCAAI,EAAE,CAAC;SACtD,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,wBAAwB,CAAC,CAAC;AACnC,CAAC;AAGD,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;QACpB,OAAO,EAAE,CAAC;KACX;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;QACzB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;KACpB;IAED,OAAO,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC;AAC3D,CAAC;AAED,SAAS,MAAM,CAAC,KAAa,EAAE,KAAa;IAC1C,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,eAAe,CAAC,GAAY,EAAE,MAAc;IACnD,OAAO,CAAC,GAAG,gBAAgB,EAAE,GAAG,MAAM,CAAC,yBAAyB,CAAC,CAAC,IAAI,CACpE,CAAC,cAAc,EAAE,EAAE;QACjB,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI;YACF,OAAO,IAAA,wBAAa,EAAC,cAAc,EAAE,IAAI,CAAC,CAAC;SAC5C;QAAC,OAAO,KAAK,EAAE;YACd,OAAO,cAAc,KAAK,IAAI,CAAC;SAChC;IACH,CAAC,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,UAAkB;;IAC1C,MAAM,cAAc,GAAoB,IAAI,CAAC,KAAK,CAChD,MAAM,aAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CACvC,CAAC;IAEF,OAAO,OAAO,CAAC,OAAO,CAAC;QACrB,WAAW,EAAE,CAAC,GAAG,CAAC,MAAA,cAAc,CAAC,WAAW,mCAAI,EAAE,CAAC,CAAC;QACpD,eAAe,EAAE,CAAC,GAAG,CAAC,MAAA,cAAc,CAAC,eAAe,mCAAI,EAAE,CAAC,CAAC;QAC5D,gBAAgB,EAAE,EAAE,GAAG,CAAC,MAAA,cAAc,CAAC,gBAAgB,mCAAI,EAAE,CAAC,EAAE;QAChE,qBAAqB,EAAE,CAAC,GAAG,CAAC,MAAA,cAAc,CAAC,qBAAqB,mCAAI,EAAE,CAAC,CAAC;QACxE,yBAAyB,EAAE;YACzB,GAAG,CAAC,MAAA,cAAc,CAAC,yBAAyB,mCAAI,EAAE,CAAC;SACpD;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,qBAAqB,GAAG,CAAC,GAAY,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;AAI7E,SAAgB,uBAAuB,CACrC,WAAmB,EACnB,QAAmB;;IAEnB,IAAI,MAAM,GAAG;kEACmD,WAAW;+CAC9B,IAAI,IAAI,EAAE,CAAC,YAAY,EAAE;;;;;;EAMtE,QAAQ;SACP,GAAG,CACF,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,EAAE,CAAC,GAAG,CAAC,OAAO,GAAG,CAAC,OAAO,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAC7E;SACA,IAAI,CAAC,IAAI,CAAC;;;CAGZ,CAAC;IAEA,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE;QAC1B,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,iBAAiB,GAAG,GAAG,CAAC,OAAO;YACnC,CAAC,CAAC,GAAG,CAAC,IAAI;YACV,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,mCAAmC,GAAG,CAAC,IAAI,GAAG,CAAC;QAC/D,MAAM,IAAI;SACL,EAAE,CAAC,GAAG,CAAC;MACV,iBAAiB,aAAa,GAAG,CAAC,OAAO;CAC9C,CAAC;QACE,IAAI,GAAG,CAAC,WAAW,EAAE;YACnB,MAAM,IAAI,KAAK,GAAG,CAAC,WAAW,MAAM,CAAC;SACtC;QAED,MAAM,IAAI,iBAAiB,IAAI,MAAM,CAAC;QAEtC,IAAI,MAAA,GAAG,CAAC,YAAY,0CAAE,MAAM,EAAE;YAC5B,MAAM,IAAI,kBAAkB,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,YAAY,EAAE;gBACnC,MAAM,IAAI,KAAK,IAAI,CAAC,QAAQ,QAAQ,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;aACnE;SACF;QAED,IAAI,MAAA,GAAG,CAAC,YAAY,0CAAE,MAAM,EAAE;YAC5B,MAAM,IAAI,YAAY,CAAC;YACvB,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,YAAY,EAAE;gBACrC,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,QAAQ;oBACxB,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,MAAM,CAAC,IAAI;wBACX,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC7C,MAAM,IAAI,KAAK,IAAI,IAAI,CAAC;aACzB;YACD,MAAM,IAAI,IAAI,CAAC;SAChB;KACF;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AA1DD,0DA0DC;AAED,SAAS,gBAAgB,CAAC,QAAmB,EAAE,MAAc;IAC3D,MAAM,eAAe,GAAG,QAAQ;SAC7B,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,MAAM,CAAC,qBAAqB,CAAC,QAAQ,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CACrE;SACA,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;IAElD,IAAI,eAAe,CAAC,MAAM,EAAE;QAC1B,MAAM,IAAI,KAAK,CACb;YACE,4BAA4B,eAAe,CAAC,MAAM,oBAAoB;YACtE,GAAG,eAAe,CAAC,GAAG,CACpB,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,KAAK,WAAW,CAAC,GAAG,CAAC,EAAE,CAC7D;SACF,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;KACH;AACH,CAAC;AAED,SAAS,WAAW,CAAC,YAAuB,EAAE,MAAc;IAC1D,cAAc,CACZ;QACE,GAAG,MAAM,CAAC,eAAe;QACzB,GAAG,MAAM,CAAC,qBAAqB;QAC/B,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;KACxC,EACD,YAAY,CACb,CAAC;IAEF,OAAO,YAAY;SAChB,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACvC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,CAC/B,CACJ;SACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CACvE;SACA,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;;QAAC,OAAA,CAAC;YACb,GAAG,GAAG;YACN,OAAO,EACL,MAAA,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,mCAC3D,GAAG,CAAC,OAAO;SACd,CAAC,CAAA;KAAA,CAAC,CAAC;AACR,CAAC;AAEM,KAAK,UAAU,uBAAuB,CAAC,EAC5C,WAAW,EACX,eAAe,EACf,UAAU,EACV,WAAW,GAMZ;IACC,MAAM,MAAM,GAAW,MAAM,UAAU,CAAC,UAAU,aAAV,UAAU,cAAV,UAAU,GAAI,eAAe,CAAC,CAAC;IACvE,MAAM,WAAW,GAAG,MAAM,IAAA,2CAAmB,EAAU,eAAe,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAc,WAAW,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAE7D,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEnC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChE,CAAC,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAnBD,0DAmBC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAEY,QAAA,OAAO,GAAG,IAAI,mBAAO,CAAC,4BAA4B,CAAC;KAC7D,WAAW,CAAC,8BAA8B,CAAC;KAC3C,MAAM,CAAC,yBAAyB,EAAE,cAAc,CAAC;KACjD,MAAM,CACL,mBAAmB,EACnB,gCAAgC,EAChC,eAAe,CAChB;KACA,MAAM,CACL,wBAAwB,EACxB,0CAA0C,EAC1C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,uBAAuB,CAAC;QAC5B,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,eAAe,EAAE,OAAO,CAAC,YAAY;QACrC,UAAU,EAAE,OAAO,CAAC,MAAM;KAC3B,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -1,11 +1,14 @@
|
|
|
1
|
-
import type { KnownSeverity, SnykTestProjectResult } from '../
|
|
1
|
+
import type { KnownSeverity, SnykTestProjectResult, VulnerabilityInfo } from '../vulnerability';
|
|
2
2
|
import { Command } from 'commander';
|
|
3
3
|
export declare function loadReports(files: string[]): Promise<SnykTestProjectResult[]>;
|
|
4
|
+
export declare function formatIgnored(vuln: VulnerabilityInfo): string;
|
|
5
|
+
export declare function generateVulnerabilityTable(vulnerabilities: VulnerabilityInfo[]): string;
|
|
4
6
|
export declare function generateVulnerabilityReport(options: {
|
|
5
7
|
dependencyFiles: string[];
|
|
6
8
|
snykReports: string[];
|
|
7
9
|
snykPolicyPath?: string;
|
|
8
10
|
failOn?: KnownSeverity;
|
|
11
|
+
createJiraIssues?: boolean;
|
|
9
12
|
printResult?: (result: string) => void;
|
|
10
13
|
}): Promise<void>;
|
|
11
14
|
export declare const command: Command;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generate-vulnerability-report.d.ts","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"generate-vulnerability-report.d.ts","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EACV,aAAa,EAEb,qBAAqB,EACrB,iBAAiB,EAClB,MAAM,kBAAkB,CAAC;AAY1B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EAAE,GACd,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAUlC;AA6ED,wBAAgB,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,MAAM,CAW7D;AAED,wBAAgB,0BAA0B,CACxC,eAAe,EAAE,iBAAiB,EAAE,GACnC,MAAM,CAwBR;AAED,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACxC,GAAG,OAAO,CAAC,IAAI,CAAC,CA4BhB;AAMD,eAAO,MAAM,OAAO,SA8BhB,CAAC"}
|
|
@@ -3,115 +3,94 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.command = exports.generateVulnerabilityReport = exports.loadReports = void 0;
|
|
6
|
+
exports.command = exports.generateVulnerabilityReport = exports.generateVulnerabilityTable = exports.formatIgnored = exports.loadReports = void 0;
|
|
7
7
|
const fs_1 = require("fs");
|
|
8
|
-
const snykPolicy = require('snyk-policy');
|
|
9
8
|
const lodash_1 = __importDefault(require("lodash"));
|
|
10
9
|
const load_dependency_files_1 = require("../load-dependency-files");
|
|
11
|
-
const
|
|
10
|
+
const vulnerability_1 = require("../vulnerability");
|
|
12
11
|
const commander_1 = require("commander");
|
|
12
|
+
const jira_1 = require("../jira");
|
|
13
13
|
async function loadReports(files) {
|
|
14
14
|
return (await Promise.all(files.map(async (fileName) => JSON.parse(await fs_1.promises.readFile(fileName, 'utf-8'))))).flat();
|
|
15
15
|
}
|
|
16
16
|
exports.loadReports = loadReports;
|
|
17
17
|
function filterApplicableVulnerabilities(snykTestResults, dependencies, rules) {
|
|
18
|
-
const
|
|
18
|
+
const uniqueVulnerabilities = new Map();
|
|
19
19
|
snykTestResults.forEach((projectResult) => {
|
|
20
|
-
projectResult.vulnerabilities.forEach((
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
20
|
+
projectResult.vulnerabilities.forEach((snykVulnerability) => {
|
|
21
|
+
if (snykVulnerability.type === 'license') {
|
|
22
|
+
return;
|
|
23
|
+
}
|
|
24
|
+
const newVulnerability = (0, vulnerability_1.vulnerabilityFromSnyk)(snykVulnerability, rules);
|
|
25
|
+
for (const dep of dependencies) {
|
|
26
|
+
if (newVulnerability.packageName !== dep.name ||
|
|
27
|
+
newVulnerability.packageVersion !== dep.version) {
|
|
28
|
+
continue;
|
|
29
|
+
}
|
|
30
|
+
const key = `${newVulnerability.packageName}@${newVulnerability.packageVersion}_${newVulnerability.id}`;
|
|
31
|
+
const previouslyAdded = uniqueVulnerabilities.get(key);
|
|
32
|
+
if (previouslyAdded) {
|
|
33
|
+
previouslyAdded.origins = Array.from(new Set([...previouslyAdded.origins, ...newVulnerability.origins]));
|
|
34
|
+
}
|
|
35
|
+
else {
|
|
36
|
+
uniqueVulnerabilities.set(key, newVulnerability);
|
|
25
37
|
}
|
|
26
|
-
});
|
|
27
|
-
});
|
|
28
|
-
});
|
|
29
|
-
const uniqueVulnerabilities = new Map();
|
|
30
|
-
affectedDependencies.forEach((vuln) => {
|
|
31
|
-
const key = `${vuln.name}@${vuln.version}_${vuln.id}`;
|
|
32
|
-
const origin = '-';
|
|
33
|
-
if (uniqueVulnerabilities.has(key)) {
|
|
34
|
-
const existingVuln = uniqueVulnerabilities.get(key);
|
|
35
|
-
if (!existingVuln.origins.includes(origin)) {
|
|
36
|
-
existingVuln.origins.push(origin);
|
|
37
38
|
}
|
|
38
|
-
}
|
|
39
|
-
else {
|
|
40
|
-
uniqueVulnerabilities.set(key, {
|
|
41
|
-
name: `${vuln.name}@${vuln.version}`,
|
|
42
|
-
id: vuln.id,
|
|
43
|
-
score: vuln.cvssScore,
|
|
44
|
-
severity: `${vuln.severity
|
|
45
|
-
.charAt(0)
|
|
46
|
-
.toUpperCase()}${vuln.severity.slice(1)}`,
|
|
47
|
-
fixedIn: vuln.fixedIn.join(', '),
|
|
48
|
-
origins: [origin],
|
|
49
|
-
policy: snykPolicy.getByVuln(rules, vuln),
|
|
50
|
-
});
|
|
51
|
-
}
|
|
39
|
+
});
|
|
52
40
|
});
|
|
53
|
-
const sortedVulnerabilities = Array.from(uniqueVulnerabilities.values()).sort((a, b) => a.
|
|
41
|
+
const sortedVulnerabilities = Array.from(uniqueVulnerabilities.values()).sort((a, b) => `${a.packageName}@${a.packageVersion}`.localeCompare(`${b.packageName}@${b.packageVersion}`));
|
|
54
42
|
return sortedVulnerabilities;
|
|
55
43
|
}
|
|
44
|
+
function fail(failOn, bundleVulnerabilities) {
|
|
45
|
+
var _a;
|
|
46
|
+
const minScore = (_a = (0, vulnerability_1.severityToScore)(failOn)) !== null && _a !== void 0 ? _a : 0;
|
|
47
|
+
for (const vuln of bundleVulnerabilities) {
|
|
48
|
+
if ((vuln.score === undefined || vuln.score >= minScore) &&
|
|
49
|
+
(0, vulnerability_1.hasKnownRemediation)(vuln) &&
|
|
50
|
+
!(0, vulnerability_1.isIgnored)(vuln)) {
|
|
51
|
+
throw new Error(`Vulnerabilities check failed: found vulnerabilities >= "${failOn}"`);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
56
55
|
function formatIgnored(vuln) {
|
|
57
56
|
var _a, _b;
|
|
58
|
-
if (!hasKnownRemediation(vuln)) {
|
|
57
|
+
if (!(0, vulnerability_1.hasKnownRemediation)(vuln)) {
|
|
59
58
|
return 'Reason: Remediation not available yet';
|
|
60
59
|
}
|
|
61
|
-
if (hasIgnorePolicy(vuln)) {
|
|
62
|
-
const expired = hasExpiredPolicy(vuln) ? ' (Expired)' : '';
|
|
60
|
+
if ((0, vulnerability_1.hasIgnorePolicy)(vuln)) {
|
|
61
|
+
const expired = (0, vulnerability_1.hasExpiredPolicy)(vuln) ? ' (Expired)' : '';
|
|
63
62
|
return `Reason: ${(_b = (_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.reason) !== null && _b !== void 0 ? _b : 'unknown'}${expired}`;
|
|
64
63
|
}
|
|
65
64
|
return '-';
|
|
66
65
|
}
|
|
67
|
-
|
|
66
|
+
exports.formatIgnored = formatIgnored;
|
|
67
|
+
function generateVulnerabilityTable(vulnerabilities) {
|
|
68
68
|
var _a;
|
|
69
69
|
let output = '';
|
|
70
|
-
output +=
|
|
71
|
-
output += '|
|
|
72
|
-
output += '| ----------- | -- | ----- | -------- | ------ | ------- |\n';
|
|
70
|
+
output += '| dep@version | id | score | fixed in | ignored |\n';
|
|
71
|
+
output += '| ----------- | -- | ----- | -------- | ------- |\n';
|
|
73
72
|
const sortedVulns = lodash_1.default.orderBy(vulnerabilities, ['score', 'name'], ['desc', 'asc']);
|
|
74
73
|
for (const vuln of sortedVulns) {
|
|
75
|
-
const severity = `${(_a = vuln.score) !== null && _a !== void 0 ? _a : '?'} (${vuln.severity
|
|
74
|
+
const severity = `${(_a = vuln.score) !== null && _a !== void 0 ? _a : '?'} (${vuln.severity
|
|
75
|
+
.charAt(0)
|
|
76
|
+
.toUpperCase()}${vuln.severity.slice(1)})`;
|
|
76
77
|
const ignored = formatIgnored(vuln);
|
|
77
|
-
output += `| ${vuln.
|
|
78
|
+
output += `| ${vuln.packageName}@${vuln.packageVersion} | ${vuln.id} | ${severity} | ${vuln.fixedIn.join(', ') || 'N/A'} | ${ignored} |\n`;
|
|
78
79
|
}
|
|
79
80
|
return output;
|
|
80
81
|
}
|
|
81
|
-
|
|
82
|
-
return hasIgnorePolicy(vuln) && !hasExpiredPolicy(vuln);
|
|
83
|
-
}
|
|
84
|
-
function hasIgnorePolicy(vuln) {
|
|
85
|
-
var _a;
|
|
86
|
-
return ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.type) === 'ignore';
|
|
87
|
-
}
|
|
88
|
-
function hasExpiredPolicy(vuln) {
|
|
89
|
-
var _a;
|
|
90
|
-
return new Date() >= ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.expires);
|
|
91
|
-
}
|
|
92
|
-
function hasKnownRemediation(vuln) {
|
|
93
|
-
return !!vuln.fixedIn;
|
|
94
|
-
}
|
|
95
|
-
function fail(failOn, bundleVulnerabilities) {
|
|
96
|
-
var _a;
|
|
97
|
-
const minScore = (_a = (0, snyk_vulnerability_1.severityToScore)(failOn)) !== null && _a !== void 0 ? _a : 0;
|
|
98
|
-
for (const vuln of bundleVulnerabilities) {
|
|
99
|
-
if ((vuln.score === undefined || vuln.score >= minScore) &&
|
|
100
|
-
hasKnownRemediation(vuln) &&
|
|
101
|
-
!isIgnored(vuln)) {
|
|
102
|
-
throw new Error(`Vulnerabilities check failed: found vulnerabilities >= "${failOn}"`);
|
|
103
|
-
}
|
|
104
|
-
}
|
|
105
|
-
}
|
|
82
|
+
exports.generateVulnerabilityTable = generateVulnerabilityTable;
|
|
106
83
|
async function generateVulnerabilityReport(options) {
|
|
107
|
-
var _a
|
|
84
|
+
var _a;
|
|
108
85
|
const productionDependencies = await (0, load_dependency_files_1.loadDependencyFiles)(options.dependencyFiles);
|
|
109
86
|
const snykTestResult = await loadReports(options.snykReports);
|
|
110
|
-
const rules = await
|
|
111
|
-
loose: true,
|
|
112
|
-
});
|
|
87
|
+
const rules = await (0, vulnerability_1.loadSnykPolicyRules)(options.snykPolicyPath);
|
|
113
88
|
const applicableVulnerabilities = filterApplicableVulnerabilities(snykTestResult, productionDependencies, rules);
|
|
114
|
-
((
|
|
89
|
+
((_a = options.printResult) !== null && _a !== void 0 ? _a : console.info)(`## Vulnerabilities Report (${applicableVulnerabilities.length} vulnerabilities)
|
|
90
|
+
${generateVulnerabilityTable(applicableVulnerabilities)}`);
|
|
91
|
+
if (options.createJiraIssues) {
|
|
92
|
+
await (0, jira_1.createVulnerabilityTickets)(applicableVulnerabilities);
|
|
93
|
+
}
|
|
115
94
|
if (options.failOn) {
|
|
116
95
|
fail(options.failOn, applicableVulnerabilities);
|
|
117
96
|
}
|
|
@@ -126,12 +105,14 @@ exports.command = new commander_1.Command('generate-vulnerability-report')
|
|
|
126
105
|
.option('--snyk-reports <paths>', 'Comma-separated list of snyk result files', commaSeparatedList, [])
|
|
127
106
|
.option('--fail-on [level]', 'Fail on the specified severity level')
|
|
128
107
|
.option('--snyk-policy-path [path]', 'Snyk policy path')
|
|
108
|
+
.option('--create-jira-issues', 'Create Jira issues for the vulnerabilities found')
|
|
129
109
|
.action(async (options) => {
|
|
130
110
|
await generateVulnerabilityReport({
|
|
131
111
|
dependencyFiles: options.dependencies,
|
|
132
112
|
snykReports: options.snykReports,
|
|
133
113
|
failOn: options.failOn,
|
|
134
114
|
snykPolicyPath: options.snykPolicyPath,
|
|
115
|
+
createJiraIssues: options.createJiraIssues,
|
|
135
116
|
});
|
|
136
117
|
});
|
|
137
118
|
//# sourceMappingURL=generate-vulnerability-report.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generate-vulnerability-report.js","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;
|
|
1
|
+
{"version":3,"file":"generate-vulnerability-report.js","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AACpC,oDAAuB;AAEvB,oEAA+D;AAS/D,oDAQ0B;AAE1B,yCAAoC;AACpC,kCAAqD;AAE9C,KAAK,UAAU,WAAW,CAC/B,KAAe;IAIf,OAAO,CACL,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CACjD,CACF,CACF,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AAZD,kCAYC;AAOD,SAAS,+BAA+B,CACtC,eAAwC,EACxC,YAA0B,EAC1B,KAAsB;IAEtB,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA6B,CAAC;IAEnE,eAAe,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;QACxC,aAAa,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,iBAAiB,EAAE,EAAE;YAC1D,IAAI,iBAAiB,CAAC,IAAI,KAAK,SAAS,EAAE;gBACxC,OAAO;aACR;YAED,MAAM,gBAAgB,GAAsB,IAAA,qCAAqB,EAC/D,iBAAiB,EACjB,KAAK,CACN,CAAC;YAEF,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE;gBAC9B,IACE,gBAAgB,CAAC,WAAW,KAAK,GAAG,CAAC,IAAI;oBACzC,gBAAgB,CAAC,cAAc,KAAK,GAAG,CAAC,OAAO,EAC/C;oBACA,SAAS;iBACV;gBAED,MAAM,GAAG,GAAG,GAAG,gBAAgB,CAAC,WAAW,IAAI,gBAAgB,CAAC,cAAc,IAAI,gBAAgB,CAAC,EAAE,EAAE,CAAC;gBAExG,MAAM,eAAe,GAAG,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACvD,IAAI,eAAe,EAAE;oBAEnB,eAAe,CAAC,OAAO,GAAG,KAAK,CAAC,IAAI,CAClC,IAAI,GAAG,CAAC,CAAC,GAAG,eAAe,CAAC,OAAO,EAAE,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC,CACnE,CAAC;iBACH;qBAAM;oBACL,qBAAqB,CAAC,GAAG,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;iBAClD;aACF;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAC3E,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,cAAc,EAAE,CAAC,aAAa,CAClD,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,cAAc,EAAE,CACvC,CACJ,CAAC;IAEF,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,SAAS,IAAI,CACX,MAAqB,EACrB,qBAA0C;;IAE1C,MAAM,QAAQ,GAAG,MAAA,IAAA,+BAAe,EAAC,MAAM,CAAC,mCAAI,CAAC,CAAC;IAE9C,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE;QACxC,IACE,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC;YACpD,IAAA,mCAAmB,EAAC,IAAI,CAAC;YACzB,CAAC,IAAA,yBAAS,EAAC,IAAI,CAAC,EAChB;YACA,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,GAAG,CACrE,CAAC;SACH;KACF;AACH,CAAC;AAED,SAAgB,aAAa,CAAC,IAAuB;;IACnD,IAAI,CAAC,IAAA,mCAAmB,EAAC,IAAI,CAAC,EAAE;QAC9B,OAAO,uCAAuC,CAAC;KAChD;IAED,IAAI,IAAA,+BAAe,EAAC,IAAI,CAAC,EAAE;QACzB,MAAM,OAAO,GAAG,IAAA,gCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,OAAO,WAAW,MAAA,MAAA,IAAI,CAAC,MAAM,0CAAE,MAAM,mCAAI,SAAS,GAAG,OAAO,EAAE,CAAC;KAChE;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAXD,sCAWC;AAED,SAAgB,0BAA0B,CACxC,eAAoC;;IAEpC,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,MAAM,IAAI,qDAAqD,CAAC;IAChE,MAAM,IAAI,qDAAqD,CAAC;IAEhE,MAAM,WAAW,GAAG,gBAAC,CAAC,OAAO,CAC3B,eAAe,EACf,CAAC,OAAO,EAAE,MAAM,CAAC,EACjB,CAAC,MAAM,EAAE,KAAK,CAAC,CAChB,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE;QAC9B,MAAM,QAAQ,GAAG,GAAG,MAAA,IAAI,CAAC,KAAK,mCAAI,GAAG,KAAK,IAAI,CAAC,QAAQ;aACpD,MAAM,CAAC,CAAC,CAAC;aACT,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;QAC7C,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QAEpC,MAAM,IAAI,KAAK,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,cAAc,MACpD,IAAI,CAAC,EACP,MAAM,QAAQ,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,OAAO,MAAM,CAAC;KACzE;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AA1BD,gEA0BC;AAEM,KAAK,UAAU,2BAA2B,CAAC,OAOjD;;IACC,MAAM,sBAAsB,GAAG,MAAM,IAAA,2CAAmB,EACtD,OAAO,CAAC,eAAe,CACxB,CAAC;IAEF,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,MAAM,IAAA,mCAAmB,EAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAEhE,MAAM,yBAAyB,GAAG,+BAA+B,CAC/D,cAAc,EACd,sBAAsB,EACtB,KAAK,CACN,CAAC;IAEF,CAAC,MAAA,OAAO,CAAC,WAAW,mCAAI,OAAO,CAAC,IAAI,CAAC,CACnC,8BACE,yBAAyB,CAAC,MAC5B;EACF,0BAA0B,CAAC,yBAAyB,CAAC,EAAE,CACtD,CAAC;IAEF,IAAI,OAAO,CAAC,gBAAgB,EAAE;QAC5B,MAAM,IAAA,iCAA0B,EAAC,yBAAyB,CAAC,CAAC;KAC7D;IAED,IAAI,OAAO,CAAC,MAAM,EAAE;QAClB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;KACjD;AACH,CAAC;AAnCD,kEAmCC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAEY,QAAA,OAAO,GAAG,IAAI,mBAAO,CAAC,+BAA+B,CAAC;KAChE,WAAW,CACV,gFAAgF,CACjF;KACA,MAAM,CACL,wBAAwB,EACxB,0CAA0C,EAC1C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CACL,wBAAwB,EACxB,2CAA2C,EAC3C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;KACnE,MAAM,CAAC,2BAA2B,EAAE,kBAAkB,CAAC;KACvD,MAAM,CACL,sBAAsB,EACtB,kDAAkD,CACnD;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,2BAA2B,CAAC;QAChC,eAAe,EAAE,OAAO,CAAC,YAAY;QACrC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;KAC3C,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan-node-js.d.ts","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qBAAqB,EAEtB,MAAM,
|
|
1
|
+
{"version":3,"file":"scan-node-js.d.ts","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qBAAqB,EAEtB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAuHpC,wBAAsB,UAAU,CAAC,EAC/B,OAAO,GACR,EAAE;IACD,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAsBjC;AAED,eAAO,MAAM,OAAO,SAgBhB,CAAC"}
|
|
@@ -7,17 +7,21 @@ exports.command = exports.scanNodeJs = void 0;
|
|
|
7
7
|
const node_fetch_1 = __importDefault(require("node-fetch"));
|
|
8
8
|
const semver_1 = __importDefault(require("semver"));
|
|
9
9
|
const nv_1 = __importDefault(require("@pkgjs/nv"));
|
|
10
|
-
const
|
|
10
|
+
const vulnerability_1 = require("../vulnerability");
|
|
11
|
+
const vulnerability_2 = require("../vulnerability");
|
|
11
12
|
const commander_1 = require("commander");
|
|
12
13
|
async function formatVulnerability(id, nodeVulnerability, nodeVersion) {
|
|
13
14
|
const score = await fetchScore(`NSWG-COR-${id}`, nodeVulnerability);
|
|
14
|
-
return (0,
|
|
15
|
+
return (0, vulnerability_2.vulnerabilityToSnyk)({
|
|
15
16
|
id: `NSWG-COR-${id}`,
|
|
17
|
+
title: `NSWG-COR-${id}`,
|
|
16
18
|
cves: nodeVulnerability.cve,
|
|
17
19
|
fixedIn: (nodeVulnerability.patched || '').split(' || '),
|
|
18
20
|
packageName: '.node.js',
|
|
19
21
|
score,
|
|
20
|
-
|
|
22
|
+
severity: (0, vulnerability_1.scoreToSeverity)(score),
|
|
23
|
+
urls: [{ title: 'Ref', url: nodeVulnerability.ref }],
|
|
24
|
+
origins: [`.node.js@${nodeVersion}`],
|
|
21
25
|
packageVersion: nodeVersion,
|
|
22
26
|
description: nodeVulnerability.overview,
|
|
23
27
|
vulnerableSemver: nodeVulnerability.vulnerable,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan-node-js.js","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAC/B,oDAA4B;AAC5B,mDAA2B;AAK3B,
|
|
1
|
+
{"version":3,"file":"scan-node-js.js","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAC/B,oDAA4B;AAC5B,mDAA2B;AAK3B,oDAAmD;AACnD,oDAAuD;AACvD,yCAAoC;AAYpC,KAAK,UAAU,mBAAmB,CAChC,EAAU,EACV,iBAAoC,EACpC,WAAmB;IAEnB,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAEpE,OAAO,IAAA,mCAAmB,EAAC;QACzB,EAAE,EAAE,YAAY,EAAE,EAAE;QACpB,KAAK,EAAE,YAAY,EAAE,EAAE;QACvB,IAAI,EAAE,iBAAiB,CAAC,GAAG;QAC3B,OAAO,EAAE,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QACxD,WAAW,EAAE,UAAU;QACvB,KAAK;QACL,QAAQ,EAAE,IAAA,+BAAe,EAAC,KAAK,CAAC;QAChC,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,iBAAiB,CAAC,GAAG,EAAE,CAAC;QACpD,OAAO,EAAE,CAAC,YAAY,WAAW,EAAE,CAAC;QACpC,cAAc,EAAE,WAAW;QAC3B,WAAW,EAAE,iBAAiB,CAAC,QAAQ;QACvC,gBAAgB,EAAE,iBAAiB,CAAC,UAAU;KAC/C,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,iBAAoC;IAEpC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5B,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAChC,IAAA,oBAAK,EACH,0DAA0D,GAAG,EAAE,CAChE,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACb,GAAG,CAAC,EAAE;QACJ,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACZ,CAAC,CAAC,OAAO,CAAC,MAAM,CACZ,IAAI,KAAK,CAAC,SAAS,GAAG,oBAAoB,GAAG,CAAC,MAAM,EAAE,CAAC,CACxD,CACN,CACF,CACF,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;QACZ,OAAO,CAAC,KAAK,CACX,4BAA4B,MAAM,KAAM,CAAW,CAAC,OAAO,EAAE,CAC9D,CAAC;QAEF,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;IAEH,MAAM,sBAAsB,GAAG,CAC7B,WAGG,EACH,EAAE;;QACF,OAAO,CACL,MAAA,MAAA,MAAA,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,0CAAE,QAAQ,0CAAE,SAAS,mCAClE,MAAA,MAAA,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,0CAAE,QAAQ,0CAAE,SAAS,CACrE,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,OAAO,GAA2B,IAAI,CAAC,GAAG,CAC9C,CAAC,GAAG,EAAE,EAAE;;QACN,OAAA,MAAA,MAAA,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,aAAa,mCAAI,EAAE,CAC3D,mCACD,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,aAAa,mCAAI,EAAE,CAC3D,mCACD,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,YAAY,mCAAI,EAAE,CAC1D,CAAA;KAAA,CACJ,CAAC;IAEF,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE;QAC1B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;YAC5B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACtB;KACF;IAKD,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,MAAM,GAAG,GACP,gFAAgF,CAAC;IAEnF,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAK,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;KACxD;IAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAe;IACxC,MAAM,SAAS,GAAG,CAAC,MAAM,IAAA,YAAE,EAAC,WAAW,CAAC,CAAC;SACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC;SAC1B,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAEM,KAAK,UAAU,UAAU,CAAC,EAC/B,OAAO,GAGR;IAGC,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE;QACjC,MAAM,IAAI,KAAK,CAAC,mBAAmB,OAAO,4BAA4B,CAAC,CAAC;KACzE;IAED,MAAM,mBAAmB,GAAG,MAAM,cAAc,EAAE,CAAC;IAEnD,MAAM,UAAU,GAAG,EAAE,CAAC;IAEtB,KAAK,MAAM,CAAC,EAAE,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QACrE,IACE,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC;YACnD,aAAa,CAAC,OAAO;YACrB,CAAC,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,EACjD;YACA,UAAU,CAAC,IAAI,CAAC,MAAM,mBAAmB,CAAC,EAAE,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;SACxE;KACF;IAED,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC;AA1BD,gCA0BC;AAEY,QAAA,OAAO,GAAG,IAAI,mBAAO,CAAC,cAAc,CAAC;KAC/C,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CACL,qBAAqB,EACrB,kEAAkE,CACnE;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CACZ,MAAM,UAAU,CAAC;QACf,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC,EACF,IAAI,EACJ,CAAC,CACF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
|
package/dist/jira.d.ts
ADDED
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { VulnerabilityInfo } from './vulnerability';
|
|
2
|
+
export declare const buildJiraDescription: (vulnerability: VulnerabilityInfo) => string;
|
|
3
|
+
export declare function createVulnerabilityTickets(vulnerabilities: VulnerabilityInfo[]): Promise<void>;
|
|
4
|
+
//# sourceMappingURL=jira.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jira.d.ts","sourceRoot":"","sources":["../src/jira.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAY,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAwInE,eAAO,MAAM,oBAAoB,kBAChB,iBAAiB,KAC/B,MAkCF,CAAC;AAEF,wBAAsB,0BAA0B,CAC9C,eAAe,EAAE,iBAAiB,EAAE,GACnC,OAAO,CAAC,IAAI,CAAC,CAyCf"}
|
package/dist/jira.js
ADDED
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.createVulnerabilityTickets = exports.buildJiraDescription = void 0;
|
|
7
|
+
const node_fetch_1 = __importDefault(require("node-fetch"));
|
|
8
|
+
const vulnerability_1 = require("./vulnerability");
|
|
9
|
+
const vulnerability_2 = require("./vulnerability");
|
|
10
|
+
const formatDueDate = (date) => {
|
|
11
|
+
const yy = date.getFullYear();
|
|
12
|
+
const MM = String(date.getMonth() + 1).padStart(2, '0');
|
|
13
|
+
const dd = String(date.getDate()).padStart(2, '0');
|
|
14
|
+
return `${yy}-${MM}-${dd}`;
|
|
15
|
+
};
|
|
16
|
+
async function createJiraTicket(jiraBaseUrl, auth, issue) {
|
|
17
|
+
var _a, _b;
|
|
18
|
+
jiraBaseUrl = jiraBaseUrl.replace(/\/$/, '');
|
|
19
|
+
const issueApiUrl = `${jiraBaseUrl}/rest/api/2/issue/`;
|
|
20
|
+
const headers = {
|
|
21
|
+
Authorization: `Bearer ${auth.token}`,
|
|
22
|
+
Accept: 'application/json',
|
|
23
|
+
};
|
|
24
|
+
const jqlQuery = new URLSearchParams({
|
|
25
|
+
jql: `project="${issue.project}" AND issuetype="${issue.issueType}" AND resolution=Unresolved AND summary~"${issue.summary}"`,
|
|
26
|
+
}).toString();
|
|
27
|
+
const searchApiUrl = `${jiraBaseUrl}/rest/api/2/search?${jqlQuery}`;
|
|
28
|
+
const exists = await (0, node_fetch_1.default)(searchApiUrl, {
|
|
29
|
+
method: 'GET',
|
|
30
|
+
headers: {
|
|
31
|
+
...headers,
|
|
32
|
+
},
|
|
33
|
+
}).then(async (res) => res.ok
|
|
34
|
+
? (await res.json()).total > 0
|
|
35
|
+
: Promise.reject(new Error(`HTTP error: ${res.status}. ${await res.text()}`)));
|
|
36
|
+
if (exists) {
|
|
37
|
+
console.info(`The ${issue.issueType} ticket ${issue.project} - ${issue.summary}, already exists.`);
|
|
38
|
+
return;
|
|
39
|
+
}
|
|
40
|
+
const response = await (0, node_fetch_1.default)(issueApiUrl, {
|
|
41
|
+
method: 'POST',
|
|
42
|
+
headers: {
|
|
43
|
+
...headers,
|
|
44
|
+
'Content-Type': 'application/json',
|
|
45
|
+
},
|
|
46
|
+
body: JSON.stringify({
|
|
47
|
+
fields: {
|
|
48
|
+
project: {
|
|
49
|
+
key: issue.project,
|
|
50
|
+
},
|
|
51
|
+
summary: issue.summary,
|
|
52
|
+
description: issue.description,
|
|
53
|
+
issuetype: {
|
|
54
|
+
name: issue.issueType,
|
|
55
|
+
},
|
|
56
|
+
components: issue.components.length
|
|
57
|
+
? issue.components.map((c) => ({ name: c }))
|
|
58
|
+
: undefined,
|
|
59
|
+
labels: issue.labels.length ? issue.labels : undefined,
|
|
60
|
+
priority: {
|
|
61
|
+
name: issue.priority,
|
|
62
|
+
},
|
|
63
|
+
duedate: formatDueDate(issue.dueDate),
|
|
64
|
+
},
|
|
65
|
+
}),
|
|
66
|
+
});
|
|
67
|
+
if (!response.ok) {
|
|
68
|
+
throw new Error(`HTTP error: ${response.status}.`);
|
|
69
|
+
}
|
|
70
|
+
const key = (_b = (_a = (await response.json())) === null || _a === void 0 ? void 0 : _a.res) === null || _b === void 0 ? void 0 : _b.key;
|
|
71
|
+
console.info('Created issue: ', `${jiraBaseUrl}/browse/${key}`);
|
|
72
|
+
}
|
|
73
|
+
const JIRA_ISSUE_TYPE = 'Build Failure';
|
|
74
|
+
function severityToJiraPriority(severity) {
|
|
75
|
+
if (severity === 'high') {
|
|
76
|
+
return 'Critical - P2';
|
|
77
|
+
}
|
|
78
|
+
if (severity === 'medium') {
|
|
79
|
+
return 'Major - P3';
|
|
80
|
+
}
|
|
81
|
+
if (severity === 'low') {
|
|
82
|
+
return 'Minor - P4';
|
|
83
|
+
}
|
|
84
|
+
return 'Blocker - P1';
|
|
85
|
+
}
|
|
86
|
+
function severityToDueDate(severity) {
|
|
87
|
+
const triageSlaDays = 2;
|
|
88
|
+
const resolutionSlaDays = severity === 'high'
|
|
89
|
+
? 5
|
|
90
|
+
: severity === 'medium'
|
|
91
|
+
? 6 * 7
|
|
92
|
+
: severity === 'low'
|
|
93
|
+
? 12 * 7
|
|
94
|
+
:
|
|
95
|
+
1;
|
|
96
|
+
return new Date(new Date().getTime() +
|
|
97
|
+
triageSlaDays +
|
|
98
|
+
resolutionSlaDays * 24 * 60 * 60 * 1000);
|
|
99
|
+
}
|
|
100
|
+
const buildJiraDescription = (vulnerability) => {
|
|
101
|
+
var _a, _b;
|
|
102
|
+
return (`h4. Vulnerability Details
|
|
103
|
+
|
|
104
|
+
- *Affected Package*: ${vulnerability.packageName}
|
|
105
|
+
- *Affected Version*: ${vulnerability.packageVersion}
|
|
106
|
+
- *Fixed In*: ${((_a = vulnerability.fixedIn) === null || _a === void 0 ? void 0 : _a.length) ? vulnerability.fixedIn.join(', ') : 'N/A'}
|
|
107
|
+
- *Severity*: ${vulnerability.severity}
|
|
108
|
+
- *Cvss score*: ${(_b = vulnerability.score) !== null && _b !== void 0 ? _b : '-'}
|
|
109
|
+
|
|
110
|
+
h4. Vulnerability Description
|
|
111
|
+
|
|
112
|
+
{panel:title=${vulnerability.title}}
|
|
113
|
+
${vulnerability.description}
|
|
114
|
+
{panel}
|
|
115
|
+
|
|
116
|
+
h4. Vulnerable Paths
|
|
117
|
+
|
|
118
|
+
${vulnerability.origins.map((o) => `# {{${o}}}`).join('\n')}
|
|
119
|
+
|
|
120
|
+
h4. Links
|
|
121
|
+
|
|
122
|
+
${vulnerability.urls.map((l) => `- [${l.title}|${l.url}]`).join('\n')}
|
|
123
|
+
` +
|
|
124
|
+
(process.env.JIRA_VULNERABILITY_BUILD_INFO
|
|
125
|
+
? `
|
|
126
|
+
h4. Build Info
|
|
127
|
+
|
|
128
|
+
${process.env.JIRA_VULNERABILITY_BUILD_INFO}
|
|
129
|
+
`
|
|
130
|
+
: ''));
|
|
131
|
+
};
|
|
132
|
+
exports.buildJiraDescription = buildJiraDescription;
|
|
133
|
+
async function createVulnerabilityTickets(vulnerabilities) {
|
|
134
|
+
if (!process.env.JIRA_BASE_URL ||
|
|
135
|
+
!process.env.JIRA_API_TOKEN ||
|
|
136
|
+
!process.env.JIRA_PROJECT) {
|
|
137
|
+
const missingEnv = ['JIRA_BASE_URL', 'JIRA_API_TOKEN', 'JIRA_PROJECT']
|
|
138
|
+
.filter((k) => !process.env[k])
|
|
139
|
+
.join(', ');
|
|
140
|
+
throw new Error(`Missing required variables to create Jira tickets: ${missingEnv}`);
|
|
141
|
+
}
|
|
142
|
+
for (const vulnerability of vulnerabilities) {
|
|
143
|
+
if ((0, vulnerability_2.isIgnored)(vulnerability)) {
|
|
144
|
+
return;
|
|
145
|
+
}
|
|
146
|
+
await createJiraTicket(process.env.JIRA_BASE_URL, {
|
|
147
|
+
token: process.env.JIRA_API_TOKEN,
|
|
148
|
+
}, {
|
|
149
|
+
project: process.env.JIRA_PROJECT,
|
|
150
|
+
summary: `Vulnerability ${vulnerability.id} found on ${vulnerability.packageName}@${vulnerability.packageVersion}${(0, vulnerability_1.hasExpiredPolicy)(vulnerability) ? ' (Policy Expired)' : ''}`,
|
|
151
|
+
description: (0, exports.buildJiraDescription)(vulnerability),
|
|
152
|
+
components: ['Vulnerability Management'],
|
|
153
|
+
labels: [],
|
|
154
|
+
priority: severityToJiraPriority(vulnerability.severity),
|
|
155
|
+
issueType: JIRA_ISSUE_TYPE,
|
|
156
|
+
dueDate: severityToDueDate(vulnerability.severity),
|
|
157
|
+
});
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
exports.createVulnerabilityTickets = createVulnerabilityTickets;
|
|
161
|
+
//# sourceMappingURL=jira.js.map
|
package/dist/jira.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jira.js","sourceRoot":"","sources":["../src/jira.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAE/B,mDAAmD;AACnD,mDAA4C;AAE5C,MAAM,aAAa,GAAG,CAAC,IAAU,EAAU,EAAE;IAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAC9B,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAEnD,OAAO,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;AAC7B,CAAC,CAAC;AAEF,KAAK,UAAU,gBAAgB,CAC7B,WAAmB,EACnB,IAEC,EACD,KASC;;IAED,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,GAAG,WAAW,oBAAoB,CAAC;IAEvD,MAAM,OAAO,GAAG;QACd,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;QACrC,MAAM,EAAE,kBAAkB;KAC3B,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC;QACnC,GAAG,EAAE,YAAY,KAAK,CAAC,OAAO,oBAAoB,KAAK,CAAC,SAAS,4CAA4C,KAAK,CAAC,OAAO,GAAG;KAC9H,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,MAAM,YAAY,GAAG,GAAG,WAAW,sBAAsB,QAAQ,EAAE,CAAC;IAEpE,MAAM,MAAM,GAAG,MAAM,IAAA,oBAAK,EAAC,YAAY,EAAE;QACvC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,GAAG,OAAO;SACX;KACF,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CACpB,GAAG,CAAC,EAAE;QACJ,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC;QAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CACZ,IAAI,KAAK,CAAC,eAAe,GAAG,CAAC,MAAM,KAAK,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAC5D,CACN,CAAC;IAEF,IAAI,MAAM,EAAE;QACV,OAAO,CAAC,IAAI,CACV,OAAO,KAAK,CAAC,SAAS,WAAW,KAAK,CAAC,OAAO,MAAM,KAAK,CAAC,OAAO,mBAAmB,CACrF,CAAC;QACF,OAAO;KACR;IAED,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAK,EAAC,WAAW,EAAE;QACxC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,GAAG,OAAO;YACV,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,MAAM,EAAE;gBACN,OAAO,EAAE;oBACP,GAAG,EAAE,KAAK,CAAC,OAAO;iBACnB;gBACD,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,SAAS,EAAE;oBACT,IAAI,EAAE,KAAK,CAAC,SAAS;iBACtB;gBACD,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,MAAM;oBACjC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;oBACpD,CAAC,CAAC,SAAS;gBACb,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACtD,QAAQ,EAAE;oBACR,IAAI,EAAE,KAAK,CAAC,QAAQ;iBACrB;gBACD,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC;aACtC;SACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,eAAe,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;KACpD;IAED,MAAM,GAAG,GAAW,MAAA,MAAA,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,0CAAE,GAAG,0CAAE,GAAG,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,WAAW,WAAW,GAAG,EAAE,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,eAAe,GAAG,eAAe,CAAC;AAExC,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,KAAK,MAAM,EAAE;QACvB,OAAO,eAAe,CAAC;KACxB;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE;QACzB,OAAO,YAAY,CAAC;KACrB;IAED,IAAI,QAAQ,KAAK,KAAK,EAAE;QACtB,OAAO,YAAY,CAAC;KACrB;IAGD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAkB;IAC3C,MAAM,aAAa,GAAG,CAAC,CAAC;IACxB,MAAM,iBAAiB,GACrB,QAAQ,KAAK,MAAM;QACjB,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,QAAQ,KAAK,QAAQ;YACvB,CAAC,CAAC,CAAC,GAAe,CAAC;YACnB,CAAC,CAAC,QAAQ,KAAK,KAAK;gBACpB,CAAC,CAAC,EAAE,GAAe,CAAC;gBACpB,CAAC;oBACC,CAAC,CAAC;IAER,OAAO,IAAI,IAAI,CACb,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE;QAClB,aAAa;QACb,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAC1C,CAAC;AACJ,CAAC;AAEM,MAAM,oBAAoB,GAAG,CAClC,aAAgC,EACxB,EAAE;;IACV,OAAO,CACL;;wBAEoB,aAAa,CAAC,WAAW;wBACzB,aAAa,CAAC,cAAc;gBAE9C,CAAA,MAAA,aAAa,CAAC,OAAO,0CAAE,MAAM,EAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KACrE;gBACY,aAAa,CAAC,QAAQ;kBACpB,MAAA,aAAa,CAAC,KAAK,mCAAI,GAAG;;;;eAI7B,aAAa,CAAC,KAAK;EAChC,aAAa,CAAC,WAAW;;;;;EAKzB,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;EAIzD,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;CACpE;QACG,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B;YACxC,CAAC,CAAC;;;EAGN,OAAO,CAAC,GAAG,CAAC,6BAA6B;CAC1C;YACK,CAAC,CAAC,EAAE,CAAC,CACR,CAAC;AACJ,CAAC,CAAC;AApCW,QAAA,oBAAoB,wBAoC/B;AAEK,KAAK,UAAU,0BAA0B,CAC9C,eAAoC;IAEpC,IACE,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa;QAC1B,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc;QAC3B,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EACzB;QACA,MAAM,UAAU,GAAG,CAAC,eAAe,EAAE,gBAAgB,EAAE,cAAc,CAAC;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;aAC9B,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,MAAM,IAAI,KAAK,CACb,sDAAsD,UAAU,EAAE,CACnE,CAAC;KACH;IAED,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE;QAC3C,IAAI,IAAA,yBAAS,EAAC,aAAa,CAAC,EAAE;YAC5B,OAAO;SACR;QAED,MAAM,gBAAgB,CACpB,OAAO,CAAC,GAAG,CAAC,aAAa,EACzB;YACE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc;SAClC,EACD;YACE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YACjC,OAAO,EAAE,iBAAiB,aAAa,CAAC,EAAE,aACxC,aAAa,CAAC,WAChB,IAAI,aAAa,CAAC,cAAc,GAC9B,IAAA,gCAAgB,EAAC,aAAa,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAC1D,EAAE;YACF,WAAW,EAAE,IAAA,4BAAoB,EAAC,aAAa,CAAC;YAChD,UAAU,EAAE,CAAC,0BAA0B,CAAC;YACxC,MAAM,EAAE,EAAE;YACV,QAAQ,EAAE,sBAAsB,CAAC,aAAa,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,eAAe;YAC1B,OAAO,EAAE,iBAAiB,CAAC,aAAa,CAAC,QAAQ,CAAC;SACnD,CACF,CAAC;KACH;AACH,CAAC;AA3CD,gEA2CC"}
|
|
@@ -1,10 +1,31 @@
|
|
|
1
1
|
export declare type KnownSeverity = 'low' | 'medium' | 'high' | 'critical';
|
|
2
2
|
export declare type Severity = KnownSeverity | 'unknown';
|
|
3
|
-
declare type
|
|
4
|
-
export declare
|
|
5
|
-
|
|
3
|
+
export declare type SnykPolicyRules = any;
|
|
4
|
+
export declare type VulnerabilityInfo = {
|
|
5
|
+
id: string;
|
|
6
|
+
score?: number;
|
|
7
|
+
fixedIn: string[];
|
|
8
|
+
origins: string[];
|
|
9
|
+
severity: Severity;
|
|
10
|
+
title: string;
|
|
11
|
+
description: string;
|
|
12
|
+
packageName: string;
|
|
13
|
+
packageVersion: string;
|
|
14
|
+
vulnerableSemver: string;
|
|
15
|
+
cves: string[];
|
|
16
|
+
policy?: {
|
|
17
|
+
type: 'ignore';
|
|
18
|
+
reason: string;
|
|
19
|
+
expires: any;
|
|
20
|
+
};
|
|
21
|
+
urls: {
|
|
22
|
+
title: string;
|
|
23
|
+
url: string;
|
|
24
|
+
}[];
|
|
25
|
+
};
|
|
6
26
|
export declare type SnykVulnerability = {
|
|
7
27
|
id: string;
|
|
28
|
+
type?: 'license';
|
|
8
29
|
title: string;
|
|
9
30
|
CVSSv3: string;
|
|
10
31
|
credit: string[];
|
|
@@ -54,16 +75,15 @@ export declare type SnykVulnerability = {
|
|
|
54
75
|
export declare type SnykTestProjectResult = {
|
|
55
76
|
vulnerabilities: SnykVulnerability[];
|
|
56
77
|
};
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
}): SnykVulnerability | PromiseLike<SnykVulnerability>;
|
|
78
|
+
declare type Score = number | undefined;
|
|
79
|
+
export declare function severityToScore(severity: Severity): Score;
|
|
80
|
+
export declare function scoreToSeverity(score: number | undefined): Severity;
|
|
81
|
+
export declare function vulnerabilityToSnyk(vulnerability: VulnerabilityInfo): SnykVulnerability | PromiseLike<SnykVulnerability>;
|
|
82
|
+
export declare function vulnerabilityFromSnyk(snykVulnerability: SnykVulnerability, rules: SnykPolicyRules): VulnerabilityInfo;
|
|
83
|
+
export declare const loadSnykPolicyRules: (snykPolicyPath: string | undefined) => Promise<SnykPolicyRules>;
|
|
84
|
+
export declare function isIgnored(vulnerability: VulnerabilityInfo): boolean;
|
|
85
|
+
export declare function hasIgnorePolicy(vulnerability: VulnerabilityInfo): boolean;
|
|
86
|
+
export declare function hasExpiredPolicy(vulnerability: VulnerabilityInfo): boolean;
|
|
87
|
+
export declare function hasKnownRemediation(vulnerability: VulnerabilityInfo): boolean;
|
|
68
88
|
export {};
|
|
69
|
-
//# sourceMappingURL=
|
|
89
|
+
//# sourceMappingURL=vulnerability.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vulnerability.d.ts","sourceRoot":"","sources":["../src/vulnerability.ts"],"names":[],"mappings":"AAGA,oBAAY,aAAa,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AACnE,oBAAY,QAAQ,GAAG,aAAa,GAAG,SAAS,CAAC;AAEjD,oBAAY,eAAe,GAAG,GAAG,CAAC;AAElC,oBAAY,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,QAAQ,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,GAAG,CAAC;KACd,CAAC;IACF,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACxC,CAAC;AAEF,oBAAY,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE;QACN,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE;QACR,YAAY,EAAE,IAAI,CAAC;KACpB,CAAC;IACF,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,KAAK,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE;QACV,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACf,EAAE,CAAC;IACJ,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,IAAI,CAAC;IAClB,WAAW,EAAE;QACX,GAAG,EAAE,MAAM,EAAE,CAAC;KACf,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,KAAK,EAAE,CAAC;IACvB,cAAc,EAAE,KAAK,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,QAAQ,CAAC;IAC/B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,OAAO,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,oBAAY,qBAAqB,GAAG;IAClC,eAAe,EAAE,iBAAiB,EAAE,CAAC;CACtC,CAAC;AAEF,aAAK,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;AAUhC,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,GAAG,KAAK,CAEzD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,CAenE;AAED,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,iBAAiB,GAC/B,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC,CA2DpD;AAED,wBAAgB,qBAAqB,CACnC,iBAAiB,EAAE,iBAAiB,EACpC,KAAK,EAAE,eAAe,GACrB,iBAAiB,CAwCnB;AAED,eAAO,MAAM,mBAAmB,mBACd,MAAM,GAAG,SAAS,KACjC,QAAQ,eAAe,CAGtB,CAAC;AAEL,wBAAgB,SAAS,CAAC,aAAa,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED,wBAAgB,eAAe,CAAC,aAAa,EAAE,iBAAiB,GAAG,OAAO,CAEzE;AAED,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,iBAAiB,GAAG,OAAO,CAE1E;AAED,wBAAgB,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,GAAG,OAAO,CAE7E"}
|
|
@@ -0,0 +1,144 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.hasKnownRemediation = exports.hasExpiredPolicy = exports.hasIgnorePolicy = exports.isIgnored = exports.loadSnykPolicyRules = exports.vulnerabilityFromSnyk = exports.vulnerabilityToSnyk = exports.scoreToSeverity = exports.severityToScore = void 0;
|
|
4
|
+
const snykPolicy = require('snyk-policy');
|
|
5
|
+
const SEVERITY_TO_SCORE = {
|
|
6
|
+
low: 0,
|
|
7
|
+
medium: 4,
|
|
8
|
+
high: 7,
|
|
9
|
+
critical: 9,
|
|
10
|
+
unknown: undefined,
|
|
11
|
+
};
|
|
12
|
+
function severityToScore(severity) {
|
|
13
|
+
return SEVERITY_TO_SCORE[severity];
|
|
14
|
+
}
|
|
15
|
+
exports.severityToScore = severityToScore;
|
|
16
|
+
function scoreToSeverity(score) {
|
|
17
|
+
if (score === undefined) {
|
|
18
|
+
return 'unknown';
|
|
19
|
+
}
|
|
20
|
+
if (score >= 9) {
|
|
21
|
+
return 'critical';
|
|
22
|
+
}
|
|
23
|
+
if (score >= 7) {
|
|
24
|
+
return 'high';
|
|
25
|
+
}
|
|
26
|
+
if (score >= 4) {
|
|
27
|
+
return 'medium';
|
|
28
|
+
}
|
|
29
|
+
return 'low';
|
|
30
|
+
}
|
|
31
|
+
exports.scoreToSeverity = scoreToSeverity;
|
|
32
|
+
function vulnerabilityToSnyk(vulnerability) {
|
|
33
|
+
const { id, packageName, packageVersion, score, cves, vulnerableSemver, fixedIn, description, urls, } = vulnerability;
|
|
34
|
+
const severity = scoreToSeverity(score);
|
|
35
|
+
return {
|
|
36
|
+
id,
|
|
37
|
+
title: id,
|
|
38
|
+
CVSSv3: '-',
|
|
39
|
+
credit: ['-'],
|
|
40
|
+
semver: {
|
|
41
|
+
vulnerable: vulnerableSemver,
|
|
42
|
+
},
|
|
43
|
+
exploit: '-',
|
|
44
|
+
patched: fixedIn,
|
|
45
|
+
patches: [],
|
|
46
|
+
fixedIn: fixedIn,
|
|
47
|
+
insights: {
|
|
48
|
+
triageAdvice: null,
|
|
49
|
+
},
|
|
50
|
+
language: 'js',
|
|
51
|
+
severity: severity,
|
|
52
|
+
cvssScore: score,
|
|
53
|
+
functions: [],
|
|
54
|
+
moduleName: packageName,
|
|
55
|
+
references: urls,
|
|
56
|
+
cvssDetails: [],
|
|
57
|
+
description: description !== null && description !== void 0 ? description : '',
|
|
58
|
+
epssDetails: null,
|
|
59
|
+
identifiers: {
|
|
60
|
+
CVE: cves,
|
|
61
|
+
},
|
|
62
|
+
packageName: packageName,
|
|
63
|
+
proprietary: true,
|
|
64
|
+
creationTime: '-',
|
|
65
|
+
functions_new: [],
|
|
66
|
+
alternativeIds: [],
|
|
67
|
+
disclosureTime: '-',
|
|
68
|
+
packageManager: 'npm',
|
|
69
|
+
publicationTime: '-',
|
|
70
|
+
modificationTime: '-',
|
|
71
|
+
socialTrendAlert: false,
|
|
72
|
+
severityWithCritical: severity,
|
|
73
|
+
from: [`${packageName}@${packageVersion}`],
|
|
74
|
+
upgradePath: [],
|
|
75
|
+
isUpgradable: true,
|
|
76
|
+
isPatchable: false,
|
|
77
|
+
name: packageName,
|
|
78
|
+
version: packageVersion,
|
|
79
|
+
};
|
|
80
|
+
}
|
|
81
|
+
exports.vulnerabilityToSnyk = vulnerabilityToSnyk;
|
|
82
|
+
function vulnerabilityFromSnyk(snykVulnerability, rules) {
|
|
83
|
+
var _a, _b, _c, _d, _e, _f, _g;
|
|
84
|
+
const urls = [];
|
|
85
|
+
if ((_a = snykVulnerability.id) === null || _a === void 0 ? void 0 : _a.startsWith('NSWG-COR-')) {
|
|
86
|
+
const id = snykVulnerability.id.split('-').reverse()[0];
|
|
87
|
+
urls.push({
|
|
88
|
+
title: snykVulnerability.id,
|
|
89
|
+
url: `https://github.com/nodejs/security-wg/blob/main/vuln/core/${id}.json`,
|
|
90
|
+
});
|
|
91
|
+
}
|
|
92
|
+
else {
|
|
93
|
+
urls.push({
|
|
94
|
+
title: snykVulnerability.id,
|
|
95
|
+
url: `https://security.snyk.io/vuln/${snykVulnerability.id}`,
|
|
96
|
+
});
|
|
97
|
+
urls.push({
|
|
98
|
+
title: `${snykVulnerability.name}@${snykVulnerability.version} vulnerabilities`,
|
|
99
|
+
url: `https://security.snyk.io/package/npm/${snykVulnerability.name}/${snykVulnerability.version}`,
|
|
100
|
+
});
|
|
101
|
+
}
|
|
102
|
+
for (const cve of (_c = (_b = snykVulnerability.identifiers) === null || _b === void 0 ? void 0 : _b.CVE) !== null && _c !== void 0 ? _c : []) {
|
|
103
|
+
urls.push({ title: cve, url: `https://nvd.nist.gov/vuln/detail/${cve}` });
|
|
104
|
+
}
|
|
105
|
+
return {
|
|
106
|
+
packageName: snykVulnerability.name,
|
|
107
|
+
packageVersion: snykVulnerability.version,
|
|
108
|
+
id: snykVulnerability.id,
|
|
109
|
+
score: snykVulnerability.cvssScore,
|
|
110
|
+
severity: snykVulnerability.severity,
|
|
111
|
+
title: snykVulnerability.title,
|
|
112
|
+
description: snykVulnerability.description,
|
|
113
|
+
fixedIn: snykVulnerability.fixedIn,
|
|
114
|
+
cves: (_e = (_d = snykVulnerability.identifiers) === null || _d === void 0 ? void 0 : _d.CVE) !== null && _e !== void 0 ? _e : [],
|
|
115
|
+
origins: snykVulnerability.from ? [snykVulnerability.from.join(' > ')] : [],
|
|
116
|
+
vulnerableSemver: (_g = (_f = snykVulnerability.semver) === null || _f === void 0 ? void 0 : _f.vulnerable) !== null && _g !== void 0 ? _g : snykVulnerability.version,
|
|
117
|
+
policy: snykPolicy.getByVuln(rules, snykVulnerability),
|
|
118
|
+
urls: urls,
|
|
119
|
+
};
|
|
120
|
+
}
|
|
121
|
+
exports.vulnerabilityFromSnyk = vulnerabilityFromSnyk;
|
|
122
|
+
const loadSnykPolicyRules = async (snykPolicyPath) => await snykPolicy.load(snykPolicyPath !== null && snykPolicyPath !== void 0 ? snykPolicyPath : process.cwd(), {
|
|
123
|
+
loose: true,
|
|
124
|
+
});
|
|
125
|
+
exports.loadSnykPolicyRules = loadSnykPolicyRules;
|
|
126
|
+
function isIgnored(vulnerability) {
|
|
127
|
+
return hasIgnorePolicy(vulnerability) && !hasExpiredPolicy(vulnerability);
|
|
128
|
+
}
|
|
129
|
+
exports.isIgnored = isIgnored;
|
|
130
|
+
function hasIgnorePolicy(vulnerability) {
|
|
131
|
+
var _a;
|
|
132
|
+
return ((_a = vulnerability.policy) === null || _a === void 0 ? void 0 : _a.type) === 'ignore';
|
|
133
|
+
}
|
|
134
|
+
exports.hasIgnorePolicy = hasIgnorePolicy;
|
|
135
|
+
function hasExpiredPolicy(vulnerability) {
|
|
136
|
+
var _a;
|
|
137
|
+
return new Date() >= ((_a = vulnerability.policy) === null || _a === void 0 ? void 0 : _a.expires);
|
|
138
|
+
}
|
|
139
|
+
exports.hasExpiredPolicy = hasExpiredPolicy;
|
|
140
|
+
function hasKnownRemediation(vulnerability) {
|
|
141
|
+
return !!vulnerability.fixedIn.length;
|
|
142
|
+
}
|
|
143
|
+
exports.hasKnownRemediation = hasKnownRemediation;
|
|
144
|
+
//# sourceMappingURL=vulnerability.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vulnerability.js","sourceRoot":"","sources":["../src/vulnerability.ts"],"names":[],"mappings":";;;AACA,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;AAmF1C,MAAM,iBAAiB,GAA4B;IACjD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,OAAO,EAAE,SAAS;CACnB,CAAC;AAEF,SAAgB,eAAe,CAAC,QAAkB;IAChD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,0CAEC;AAED,SAAgB,eAAe,CAAC,KAAyB;IACvD,IAAI,KAAK,KAAK,SAAS,EAAE;QACvB,OAAO,SAAS,CAAC;KAClB;IAED,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,UAAU,CAAC;KACnB;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,MAAM,CAAC;KACf;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,QAAQ,CAAC;KACjB;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAfD,0CAeC;AAED,SAAgB,mBAAmB,CACjC,aAAgC;IAEhC,MAAM,EACJ,EAAE,EACF,WAAW,EACX,cAAc,EACd,KAAK,EACL,IAAI,EACJ,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,IAAI,GACL,GAAG,aAAa,CAAC;IAElB,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO;QACL,EAAE;QACF,KAAK,EAAE,EAAE;QACT,MAAM,EAAE,GAAG;QACX,MAAM,EAAE,CAAC,GAAG,CAAC;QACb,MAAM,EAAE;YACN,UAAU,EAAE,gBAAgB;SAC7B;QACD,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;SACnB;QACD,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,EAAE;QACb,UAAU,EAAE,WAAW;QACvB,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE;QAC9B,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE;YACX,GAAG,EAAE,IAAI;SACV;QACD,WAAW,EAAE,WAAW;QACxB,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,GAAG;QACjB,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,cAAc,EAAE,GAAG;QACnB,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,GAAG;QACpB,gBAAgB,EAAE,GAAG;QACrB,gBAAgB,EAAE,KAAK;QACvB,oBAAoB,EAAE,QAAQ;QAC9B,IAAI,EAAE,CAAC,GAAG,WAAW,IAAI,cAAc,EAAE,CAAC;QAC1C,WAAW,EAAE,EAAE;QACf,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,KAAK;QAClB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,cAAc;KACxB,CAAC;AACJ,CAAC;AA7DD,kDA6DC;AAED,SAAgB,qBAAqB,CACnC,iBAAoC,EACpC,KAAsB;;IAEtB,MAAM,IAAI,GAAG,EAAE,CAAC;IAEhB,IAAI,MAAA,iBAAiB,CAAC,EAAE,0CAAE,UAAU,CAAC,WAAW,CAAC,EAAE;QACjD,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QACxD,IAAI,CAAC,IAAI,CAAC;YACR,KAAK,EAAE,iBAAiB,CAAC,EAAE;YAC3B,GAAG,EAAE,6DAA6D,EAAE,OAAO;SAC5E,CAAC,CAAC;KACJ;SAAM;QACL,IAAI,CAAC,IAAI,CAAC;YACR,KAAK,EAAE,iBAAiB,CAAC,EAAE;YAC3B,GAAG,EAAE,iCAAiC,iBAAiB,CAAC,EAAE,EAAE;SAC7D,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC;YACR,KAAK,EAAE,GAAG,iBAAiB,CAAC,IAAI,IAAI,iBAAiB,CAAC,OAAO,kBAAkB;YAC/E,GAAG,EAAE,wCAAwC,iBAAiB,CAAC,IAAI,IAAI,iBAAiB,CAAC,OAAO,EAAE;SACnG,CAAC,CAAC;KACJ;IAED,KAAK,MAAM,GAAG,IAAI,MAAA,MAAA,iBAAiB,CAAC,WAAW,0CAAE,GAAG,mCAAI,EAAE,EAAE;QAC1D,IAAI,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,oCAAoC,GAAG,EAAE,EAAE,CAAC,CAAC;KAC3E;IAED,OAAO;QACL,WAAW,EAAE,iBAAiB,CAAC,IAAI;QACnC,cAAc,EAAE,iBAAiB,CAAC,OAAO;QACzC,EAAE,EAAE,iBAAiB,CAAC,EAAE;QACxB,KAAK,EAAE,iBAAiB,CAAC,SAAS;QAClC,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;QACpC,KAAK,EAAE,iBAAiB,CAAC,KAAK;QAC9B,WAAW,EAAE,iBAAiB,CAAC,WAAW;QAC1C,OAAO,EAAE,iBAAiB,CAAC,OAAO;QAClC,IAAI,EAAE,MAAA,MAAA,iBAAiB,CAAC,WAAW,0CAAE,GAAG,mCAAI,EAAE;QAC9C,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;QAC3E,gBAAgB,EACd,MAAA,MAAA,iBAAiB,CAAC,MAAM,0CAAE,UAAU,mCAAI,iBAAiB,CAAC,OAAO;QACnE,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC;QACtD,IAAI,EAAE,IAAI;KACX,CAAC;AACJ,CAAC;AA3CD,sDA2CC;AAEM,MAAM,mBAAmB,GAAG,KAAK,EACtC,cAAkC,EACR,EAAE,CAC5B,MAAM,UAAU,CAAC,IAAI,CAAC,cAAc,aAAd,cAAc,cAAd,cAAc,GAAI,OAAO,CAAC,GAAG,EAAE,EAAE;IACrD,KAAK,EAAE,IAAI;CACZ,CAAC,CAAC;AALQ,QAAA,mBAAmB,uBAK3B;AAEL,SAAgB,SAAS,CAAC,aAAgC;IACxD,OAAO,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;AAC5E,CAAC;AAFD,8BAEC;AAED,SAAgB,eAAe,CAAC,aAAgC;;IAC9D,OAAO,CAAA,MAAA,aAAa,CAAC,MAAM,0CAAE,IAAI,MAAK,QAAQ,CAAC;AACjD,CAAC;AAFD,0CAEC;AAED,SAAgB,gBAAgB,CAAC,aAAgC;;IAC/D,OAAO,IAAI,IAAI,EAAE,KAAI,MAAA,aAAa,CAAC,MAAM,0CAAE,OAAO,CAAA,CAAC;AACrD,CAAC;AAFD,4CAEC;AAED,SAAgB,mBAAmB,CAAC,aAAgC;IAClE,OAAO,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC;AACxC,CAAC;AAFD,kDAEC"}
|
package/package.json
CHANGED
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
"email": "compass@mongodb.com"
|
|
17
17
|
},
|
|
18
18
|
"homepage": "https://github.com/mongodb-js/devtools-shared",
|
|
19
|
-
"version": "0.
|
|
19
|
+
"version": "0.4.0",
|
|
20
20
|
"repository": {
|
|
21
21
|
"type": "git",
|
|
22
22
|
"url": "https://github.com/mongodb-js/devtools-shared.git"
|
|
@@ -83,5 +83,5 @@
|
|
|
83
83
|
"snyk-policy": "^2.0.4",
|
|
84
84
|
"spdx-satisfies": "^5.0.1"
|
|
85
85
|
},
|
|
86
|
-
"gitHead": "
|
|
86
|
+
"gitHead": "cd9624abfc2402784b0b97b146631bdd5d2e822d"
|
|
87
87
|
}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"snyk-vulnerability.d.ts","sourceRoot":"","sources":["../src/snyk-vulnerability.ts"],"names":[],"mappings":"AAAA,oBAAY,aAAa,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AACnE,oBAAY,QAAQ,GAAG,aAAa,GAAG,SAAS,CAAC;AAEjD,aAAK,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;AAUhC,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,GAAG,KAAK,CAEzD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,CAenE;AAED,oBAAY,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE;QACN,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE;QACR,YAAY,EAAE,IAAI,CAAC;KACpB,CAAC;IACF,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,KAAK,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE;QACV,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACf,EAAE,CAAC;IACJ,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,IAAI,CAAC;IAClB,WAAW,EAAE;QACX,GAAG,EAAE,MAAM,EAAE,CAAC;KACf,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,KAAK,EAAE,CAAC;IACvB,cAAc,EAAE,KAAK,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,QAAQ,CAAC;IAC/B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,OAAO,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,oBAAY,qBAAqB,GAAG;IAClC,eAAe,EAAE,iBAAiB,EAAE,CAAC;CACtC,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,EACrC,EAAE,EACF,WAAW,EACX,cAAc,EACd,KAAK,EACL,IAAI,EACJ,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,GAAG,GACJ,EAAE;IACD,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;CAC1B,GAAG,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAsDrD"}
|
|
@@ -1,87 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.buildSnykVulnerability = exports.scoreToSeverity = exports.severityToScore = void 0;
|
|
4
|
-
const SEVERITY_TO_SCORE = {
|
|
5
|
-
low: 0,
|
|
6
|
-
medium: 4,
|
|
7
|
-
high: 7,
|
|
8
|
-
critical: 9,
|
|
9
|
-
unknown: undefined,
|
|
10
|
-
};
|
|
11
|
-
function severityToScore(severity) {
|
|
12
|
-
return SEVERITY_TO_SCORE[severity];
|
|
13
|
-
}
|
|
14
|
-
exports.severityToScore = severityToScore;
|
|
15
|
-
function scoreToSeverity(score) {
|
|
16
|
-
if (score === undefined) {
|
|
17
|
-
return 'unknown';
|
|
18
|
-
}
|
|
19
|
-
if (score >= 9) {
|
|
20
|
-
return 'critical';
|
|
21
|
-
}
|
|
22
|
-
if (score >= 7) {
|
|
23
|
-
return 'high';
|
|
24
|
-
}
|
|
25
|
-
if (score >= 4) {
|
|
26
|
-
return 'medium';
|
|
27
|
-
}
|
|
28
|
-
return 'low';
|
|
29
|
-
}
|
|
30
|
-
exports.scoreToSeverity = scoreToSeverity;
|
|
31
|
-
function buildSnykVulnerability({ id, packageName, packageVersion, score, cves, vulnerableSemver, fixedIn, description, url, }) {
|
|
32
|
-
const severity = scoreToSeverity(score);
|
|
33
|
-
return {
|
|
34
|
-
id,
|
|
35
|
-
title: id,
|
|
36
|
-
CVSSv3: '-',
|
|
37
|
-
credit: ['-'],
|
|
38
|
-
semver: {
|
|
39
|
-
vulnerable: vulnerableSemver,
|
|
40
|
-
},
|
|
41
|
-
exploit: '-',
|
|
42
|
-
patched: fixedIn,
|
|
43
|
-
patches: [],
|
|
44
|
-
fixedIn: fixedIn,
|
|
45
|
-
insights: {
|
|
46
|
-
triageAdvice: null,
|
|
47
|
-
},
|
|
48
|
-
language: 'js',
|
|
49
|
-
severity: severity,
|
|
50
|
-
cvssScore: score,
|
|
51
|
-
functions: [],
|
|
52
|
-
moduleName: packageName,
|
|
53
|
-
references: url
|
|
54
|
-
? [
|
|
55
|
-
{
|
|
56
|
-
url: url,
|
|
57
|
-
title: 'Ref',
|
|
58
|
-
},
|
|
59
|
-
]
|
|
60
|
-
: [],
|
|
61
|
-
cvssDetails: [],
|
|
62
|
-
description: description !== null && description !== void 0 ? description : '',
|
|
63
|
-
epssDetails: null,
|
|
64
|
-
identifiers: {
|
|
65
|
-
CVE: cves,
|
|
66
|
-
},
|
|
67
|
-
packageName: packageName,
|
|
68
|
-
proprietary: true,
|
|
69
|
-
creationTime: '-',
|
|
70
|
-
functions_new: [],
|
|
71
|
-
alternativeIds: [],
|
|
72
|
-
disclosureTime: '-',
|
|
73
|
-
packageManager: 'npm',
|
|
74
|
-
publicationTime: '-',
|
|
75
|
-
modificationTime: '-',
|
|
76
|
-
socialTrendAlert: false,
|
|
77
|
-
severityWithCritical: severity,
|
|
78
|
-
from: [`${packageName}@${packageVersion}`],
|
|
79
|
-
upgradePath: [],
|
|
80
|
-
isUpgradable: true,
|
|
81
|
-
isPatchable: false,
|
|
82
|
-
name: packageName,
|
|
83
|
-
version: packageVersion,
|
|
84
|
-
};
|
|
85
|
-
}
|
|
86
|
-
exports.buildSnykVulnerability = buildSnykVulnerability;
|
|
87
|
-
//# sourceMappingURL=snyk-vulnerability.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"snyk-vulnerability.js","sourceRoot":"","sources":["../src/snyk-vulnerability.ts"],"names":[],"mappings":";;;AAKA,MAAM,iBAAiB,GAA4B;IACjD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,OAAO,EAAE,SAAS;CACnB,CAAC;AAEF,SAAgB,eAAe,CAAC,QAAkB;IAChD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,0CAEC;AAED,SAAgB,eAAe,CAAC,KAAyB;IACvD,IAAI,KAAK,KAAK,SAAS,EAAE;QACvB,OAAO,SAAS,CAAC;KAClB;IAED,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,UAAU,CAAC;KACnB;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,MAAM,CAAC;KACf;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,QAAQ,CAAC;KACjB;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAfD,0CAeC;AAuDD,SAAgB,sBAAsB,CAAC,EACrC,EAAE,EACF,WAAW,EACX,cAAc,EACd,KAAK,EACL,IAAI,EACJ,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,GAAG,GAWJ;IACC,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO;QACL,EAAE;QACF,KAAK,EAAE,EAAE;QACT,MAAM,EAAE,GAAG;QACX,MAAM,EAAE,CAAC,GAAG,CAAC;QACb,MAAM,EAAE;YACN,UAAU,EAAE,gBAAgB;SAC7B;QACD,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;SACnB;QACD,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,EAAE;QACb,UAAU,EAAE,WAAW;QACvB,UAAU,EAAE,GAAG;YACb,CAAC,CAAC;gBACE;oBACE,GAAG,EAAE,GAAG;oBACR,KAAK,EAAE,KAAK;iBACb;aACF;YACH,CAAC,CAAC,EAAE;QACN,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE;QAC9B,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE;YACX,GAAG,EAAE,IAAI;SACV;QACD,WAAW,EAAE,WAAW;QACxB,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,GAAG;QACjB,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,cAAc,EAAE,GAAG;QACnB,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,GAAG;QACpB,gBAAgB,EAAE,GAAG;QACrB,gBAAgB,EAAE,KAAK;QACvB,oBAAoB,EAAE,QAAQ;QAC9B,IAAI,EAAE,CAAC,GAAG,WAAW,IAAI,cAAc,EAAE,CAAC;QAC1C,WAAW,EAAE,EAAE;QACf,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,KAAK;QAClB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,cAAc;KACxB,CAAC;AACJ,CAAC;AA1ED,wDA0EC"}
|