npq 3.19.0 → 3.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/marshalls/snyk.marshall.js +30 -15
- package/package.json +1 -1
|
@@ -9,6 +9,30 @@ const { marshallCategories } = require('./constants')
|
|
|
9
9
|
const MARSHALL_NAME = 'snyk'
|
|
10
10
|
const SNYK_PACKAGE_PAGE = 'https://snyk.io/vuln/npm:'
|
|
11
11
|
const SNYK_CONFIG_FILE = '.config/configstore/snyk.json'
|
|
12
|
+
const OSV_MALICIOUS_ORIGINS_KEY = 'malicious-packages-origins'
|
|
13
|
+
|
|
14
|
+
function isOsvVulnMalicious(vuln) {
|
|
15
|
+
if (!vuln || typeof vuln !== 'object') {
|
|
16
|
+
return false
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
const ds = vuln.database_specific
|
|
20
|
+
if (ds && typeof ds === 'object' && !Array.isArray(ds)) {
|
|
21
|
+
if (Object.prototype.hasOwnProperty.call(ds, OSV_MALICIOUS_ORIGINS_KEY)) {
|
|
22
|
+
const origins = ds[OSV_MALICIOUS_ORIGINS_KEY]
|
|
23
|
+
if (Array.isArray(origins)) {
|
|
24
|
+
return true
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
const summary = vuln.summary
|
|
30
|
+
if (typeof summary === 'string' && summary.toLowerCase().startsWith('malicious')) {
|
|
31
|
+
return true
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
return false
|
|
35
|
+
}
|
|
12
36
|
|
|
13
37
|
class Marshall extends BaseMarshall {
|
|
14
38
|
constructor(options) {
|
|
@@ -55,18 +79,14 @@ class Marshall extends BaseMarshall {
|
|
|
55
79
|
}
|
|
56
80
|
|
|
57
81
|
if (data.issuesCount && data.issuesCount > 0) {
|
|
82
|
+
const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
|
|
83
|
+
if (data.isMaliciousPackage) {
|
|
84
|
+
throw new Error(`Malicious package found: ${packageSecurityInfo}`)
|
|
85
|
+
}
|
|
58
86
|
if (this.snykApiToken) {
|
|
59
|
-
const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
|
|
60
|
-
if (data.isMaliciousPackage) {
|
|
61
|
-
throw new Error(`Malicious package found: ${packageSecurityInfo}`)
|
|
62
|
-
}
|
|
63
|
-
|
|
64
87
|
throw new Error(`${data.issuesCount} vulnerable path(s) found: ${packageSecurityInfo}`)
|
|
65
|
-
} else {
|
|
66
|
-
throw new Error(
|
|
67
|
-
`${data.issuesCount} vulnerabilities found by OSV for ${pkg.packageName}`
|
|
68
|
-
)
|
|
69
88
|
}
|
|
89
|
+
throw new Error(`${data.issuesCount} vulnerabilities found by OSV for ${pkg.packageName}`)
|
|
70
90
|
}
|
|
71
91
|
|
|
72
92
|
return data
|
|
@@ -93,12 +113,7 @@ class Marshall extends BaseMarshall {
|
|
|
93
113
|
.then((response) => response.json())
|
|
94
114
|
.then((data) => {
|
|
95
115
|
if (data && data.vulns) {
|
|
96
|
-
const isMaliciousPackage = data.vulns.some(
|
|
97
|
-
(vuln) =>
|
|
98
|
-
vuln.database_specific &&
|
|
99
|
-
vuln.database_specific['malicious-packages-origins'] &&
|
|
100
|
-
vuln.database_specific['malicious-packages-origins'].length > 0
|
|
101
|
-
)
|
|
116
|
+
const isMaliciousPackage = data.vulns.some((vuln) => isOsvVulnMalicious(vuln))
|
|
102
117
|
|
|
103
118
|
return {
|
|
104
119
|
issuesCount: data.vulns.length,
|