npm - @socketsecurity/cli-with-sentry - Versions diffs - 0.15.22 → 0.15.23 - Mend

@socketsecurity/cli-with-sentry 0.15.22 → 0.15.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/utils.js CHANGED Viewed

@@ -1846,30 +1846,11 @@ const ALERT_SEVERITY_ORDER = createEnum({
   none: 4
 });
 const {
-  CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER,
   NPM: NPM$3
 } = constants;
 const MIN_ABOVE_THE_FOLD_COUNT = 3;
 const MIN_ABOVE_THE_FOLD_ALERT_COUNT = 1;
 const format = new ColorOrMarkdown(false);
-function alertsHaveBlocked(alerts) {
-  return alerts.find(a => a.blocked) !== undefined;
-}
-function alertsHaveSeverity(alerts, severity) {
-  return alerts.find(a => a.raw.severity === severity) !== undefined;
-}
-function alertSeverityComparator(a, b) {
-  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b);
-}
-function getAlertSeverityOrder(alert) {
-  const {
-    severity
-  } = alert.raw;
-  return severity === ALERT_SEVERITY.critical ? 0 : severity === ALERT_SEVERITY.high ? 1 : severity === ALERT_SEVERITY.middle ? 2 : severity === ALERT_SEVERITY.low ? 3 : 4;
-}
-function getAlertsSeverityOrder(alerts) {
-  return alertsHaveBlocked(alerts) || alertsHaveSeverity(alerts, ALERT_SEVERITY.critical) ? 0 : alertsHaveSeverity(alerts, ALERT_SEVERITY.high) ? 1 : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle) ? 2 : alertsHaveSeverity(alerts, ALERT_SEVERITY.low) ? 3 : 4;
-}
 function getHiddenRiskCounts(hiddenAlerts) {
   const riskCounts = {
     critical: 0,
@@ -1911,9 +1892,6 @@ function getHiddenRisksDescription(riskCounts) {
   }
   return `(${descriptions.join('; ')})`;
 }
-function getSeverityLabel(severity) {
-  return severity === 'middle' ? 'moderate' : severity;
-}
 async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   // Make TypeScript happy.
   if (!artifact.name || !artifact.version || !artifact.alerts?.length) {
@@ -1927,6 +1905,8 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
     __proto__: null,
     ...options
   };
+  const socketYml = findSocketYmlSync();
+  const localRules = socketYml?.parsed.issueRules;
   const include = {
     __proto__: null,
     blocked: true,
@@ -1942,10 +1922,9 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
   } = artifact;
   const pkgId = `${name}@${version}`;
   const major = vendor.semverExports.major(version);
-  const socketYml = findSocketYmlSync();
   const enabledState = {
     __proto__: null,
-    ...socketYml?.parsed.issueRules
+    ...localRules
   };
   let sockPkgAlerts = [];
   for (const alert of artifact.alerts) {
@@ -1987,19 +1966,28 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
       const alert = sockPkgAlert.raw;
       const fixType = alert.fix?.type ?? '';
       if (fixType === ALERT_FIX_TYPE.cve) {
-        const patchedVersion = alert.props[CVE_ALERT_PROPS_FIRST_PATCHED_VERSION_IDENTIFIER];
-        const patchedMajor = vendor.semverExports.major(patchedVersion);
-        const oldHighest = highestForCve.get(patchedMajor);
-        const highest = oldHighest?.version ?? '0.0.0';
-        if (vendor.semverExports.gt(patchedVersion, highest)) {
-          highestForCve.set(patchedMajor, {
-            alert: sockPkgAlert,
-            version: patchedVersion
-          });
+        // An alert with alert.fix.type of 'cve' should have a
+        // alert.props.firstPatchedVersionIdentifier property value.
+        // We're just being cautious.
+        const firstPatchedVersionIdentifier = alert.props?.firstPatchedVersionIdentifier;
+        if (firstPatchedVersionIdentifier) {
+          // Consolidate to the highest "first patched version" by each major
+          // version number.
+          const patchedMajor = vendor.semverExports.major(firstPatchedVersionIdentifier);
+          const highest = highestForCve.get(patchedMajor)?.version ?? '0.0.0';
+          if (vendor.semverExports.gt(firstPatchedVersionIdentifier, highest)) {
+            highestForCve.set(patchedMajor, {
+              alert: sockPkgAlert,
+              version: firstPatchedVersionIdentifier
+            });
+          }
+        } else {
+          unfixableAlerts.push(sockPkgAlert);
         }
       } else if (fixType === ALERT_FIX_TYPE.upgrade) {
-        const oldHighest = highestForUpgrade.get(major);
-        const highest = oldHighest?.version ?? '0.0.0';
+        // For Socket Optimize upgrades we assume the highest version available
+        // is compatible. This may change in the future.
+        const highest = highestForUpgrade.get(major)?.version ?? '0.0.0';
         if (vendor.semverExports.gt(version, highest)) {
           highestForUpgrade.set(major, {
             alert: sockPkgAlert,
@@ -2010,26 +1998,47 @@ async function addArtifactToAlertsMap(artifact, alertsByPkgId, options) {
         unfixableAlerts.push(sockPkgAlert);
       }
     }
-    sockPkgAlerts = [...unfixableAlerts, ...[...highestForCve.values()].map(d => d.alert), ...[...highestForUpgrade.values()].map(d => d.alert)];
+    sockPkgAlerts = [
+    // Sort CVE alerts by severity: critical, high, middle, then low.
+    ...[...highestForCve.values()].map(d => d.alert).sort(alertSeverityComparator), ...[...highestForUpgrade.values()].map(d => d.alert), ...unfixableAlerts];
+  } else {
+    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
   }
   if (sockPkgAlerts.length) {
-    sockPkgAlerts.sort((a, b) => sorts.naturalCompare(a.type, b.type));
     alertsByPkgId.set(pkgId, sockPkgAlerts);
   }
   return alertsByPkgId;
 }
-function getCveInfoFromAlertsMap(alertsMap, options) {
+function alertsHaveBlocked(alerts) {
+  return alerts.find(a => a.blocked) !== undefined;
+}
+function alertsHaveSeverity(alerts, severity) {
+  return alerts.find(a => a.raw.severity === severity) !== undefined;
+}
+function alertSeverityComparator(a, b) {
+  // Put the most severe first.
+  return getAlertSeverityOrder(a) - getAlertSeverityOrder(b);
+}
+function getAlertSeverityOrder(alert) {
+  // The more severe, the lower the sort number.
   const {
-    exclude: _exclude,
-    limit = Infinity
-  } = {
+    severity
+  } = alert.raw;
+  return severity === ALERT_SEVERITY.critical ? 0 : severity === ALERT_SEVERITY.high ? 1 : severity === ALERT_SEVERITY.middle ? 2 : severity === ALERT_SEVERITY.low ? 3 : 4;
+}
+function getAlertsSeverityOrder(alerts) {
+  return alertsHaveBlocked(alerts) || alertsHaveSeverity(alerts, ALERT_SEVERITY.critical) ? 0 : alertsHaveSeverity(alerts, ALERT_SEVERITY.high) ? 1 : alertsHaveSeverity(alerts, ALERT_SEVERITY.middle) ? 2 : alertsHaveSeverity(alerts, ALERT_SEVERITY.low) ? 3 : 4;
+}
+function getCveInfoFromAlertsMap(alertsMap, options_) {
+  const options = {
     __proto__: null,
-    ...options
+    exclude: undefined,
+    limit: Infinity,
+    ...options_
   };
-  const exclude = {
+  options.exclude = {
     __proto__: null,
-    upgradable: true,
-    ..._exclude
+    ...options.exclude
   };
   let count = 0;
   let infoByPkgName = null;
@@ -2038,7 +2047,7 @@ function getCveInfoFromAlertsMap(alertsMap, options) {
     const name = packages.resolvePackageName(purlObj);
     sockPkgAlertsLoop: for (const sockPkgAlert of sockPkgAlerts) {
       const alert = sockPkgAlert.raw;
-      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || exclude.upgradable && registry.getManifestData(NPM$3, name)) {
+      if (alert.fix?.type !== ALERT_FIX_TYPE.cve || options.exclude.upgradable && registry.getManifestData(NPM$3, name)) {
         continue sockPkgAlertsLoop;
       }
       if (!infoByPkgName) {
@@ -2053,33 +2062,44 @@ function getCveInfoFromAlertsMap(alertsMap, options) {
         key
       } = alert;
       if (!infos.has(key)) {
-        const {
-          firstPatchedVersionIdentifier,
-          vulnerableVersionRange
-        } = alert.props;
-        try {
-          infos.set(key, {
-            firstPatchedVersionIdentifier,
-            vulnerableVersionRange: new vendor.semverExports.Range(
-            // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
-            // semver.Range will parse it without erroring.
-            vulnerableVersionRange.replace(/, +/g, ' ')).format()
-          });
-          if (++count >= limit) {
-            break alertsMapLoop;
+        // An alert with alert.fix.type of 'cve' should have a
+        // alert.props.firstPatchedVersionIdentifier property value.
+        // We're just being cautious.
+        const firstPatchedVersionIdentifier = alert.props?.firstPatchedVersionIdentifier;
+        const vulnerableVersionRange = alert.props?.vulnerableVersionRange;
+        let error;
+        if (firstPatchedVersionIdentifier && vulnerableVersionRange) {
+          try {
+            infos.set(key, {
+              firstPatchedVersionIdentifier,
+              vulnerableVersionRange: new vendor.semverExports.Range(
+              // Replace ', ' in a range like '>= 1.0.0, < 1.8.2' with ' ' so that
+              // semver.Range will parse it without erroring.
+              vulnerableVersionRange.replace(/, +/g, ' ')).format()
+            });
+            if (++count >= options.limit) {
+              break alertsMapLoop;
+            }
+            continue sockPkgAlertsLoop;
+          } catch (e) {
+            error = e;
+          }
+        }
+        if (debug.isDebug()) {
+          logger.logger.log('Unexpected condition: Invalid SocketPackageAlert in getCveInfoFromAlertsMap.');
+          logger.logger.dir(alert);
+          if (error) {
+            logger.logger.log(error);
           }
-        } catch (e) {
-          debug.debugLog('getCveInfoFromAlertsMap', {
-            firstPatchedVersionIdentifier,
-            vulnerableVersionRange
-          });
-          debug.debugLog(e);
         }
       }
     }
   }
   return infoByPkgName;
 }
+function getSeverityLabel(severity) {
+  return severity === 'middle' ? 'moderate' : severity;
+}
 function logAlertsMap(alertsMap, options) {
   const {
     hideAt = 'middle',
@@ -2284,14 +2304,7 @@ function getMajor(version) {
   return null;
 }
-async function getAlertsMapFromPnpmLockfile(lockfile, options_) {
-  const options = {
-    __proto__: null,
-    consolidate: false,
-    limit: Infinity,
-    nothrow: false,
-    ...options_
-  };
+async function getAlertsMapFromPnpmLockfile(lockfile, options) {
   const purls = await extractPurlsFromPnpmLockfile(lockfile);
   return await getAlertsMapFromPurls(purls, {
     overrides: lockfile.overrides,
@@ -2302,12 +2315,15 @@ async function getAlertsMapFromPurls(purls, options_) {
   const options = {
     __proto__: null,
     consolidate: false,
+    include: undefined,
     nothrow: false,
     ...options_
   };
-  const include = {
+  options.include = {
     __proto__: null,
-    actions: undefined,
+    // Leave 'actions' unassigned so it can be given a default value in
+    // subsequent functions where `options` is passed.
+    // actions: undefined,
     blocked: true,
     critical: true,
     cve: true,
@@ -2334,19 +2350,19 @@ async function getAlertsMapFromPurls(purls, options_) {
     throw new Error('Auth error: Try to run `socket login` first');
   }
   const sockSdk = sockSdkResult.data;
-  const toAlertsMapOptions = {
+  const alertsMapOptions = {
     overrides: options.overrides,
     consolidate: options.consolidate,
-    include,
+    include: options.include,
     spinner
   };
   for await (const batchResult of sockSdk.batchPackageStream({
     alerts: 'true',
     compact: 'true',
-    ...(include.actions ? {
-      actions: include.actions.join(',')
+    ...(options.include.actions ? {
+      actions: options.include.actions.join(',')
     } : {}),
-    ...(include.unfixable ? {} : {
+    ...(options.include.unfixable ? {} : {
       fixable: 'true'
     })
   }, {
@@ -2355,7 +2371,7 @@ async function getAlertsMapFromPurls(purls, options_) {
     }))
   })) {
     if (batchResult.success) {
-      await addArtifactToAlertsMap(batchResult.data, alertsByPkgId, toAlertsMapOptions);
+      await addArtifactToAlertsMap(batchResult.data, alertsByPkgId, alertsMapOptions);
     } else if (!options.nothrow) {
       const statusCode = batchResult.status ?? 'unknown';
       const statusMessage = batchResult.error ?? 'No status message';
@@ -2935,5 +2951,5 @@ exports.supportedConfigKeys = supportedConfigKeys;
 exports.updateConfigValue = updateConfigValue;
 exports.validationFlags = validationFlags;
 exports.walkNestedMap = walkNestedMap;
-//# debugId=b0a949b5-7c7b-46ea-b147-73f0f9c6007a
+//# debugId=5078b465-1ba3-4edc-a65d-343294db93ef
 //# sourceMappingURL=utils.js.map