Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(vuln): adding multiple strategies to hydrate Node Secure's p…
…ayload vulnerabilities using npm's audit strategy. (#75) * feat: adding npm audit to the vulnerabilities sources strategies. * fix: adding npm audit as a vulnerabilities source strategy * fix: remove unused callback. * sync w/ master. * fix: update package-lock after arborist@^2.2.6 upgrade. * fix: null coalescing operator uncompatibility with Node < 14 * refacto: removing explicit declarations and adding more abstraction. * moving side effects (specific logic linked to a specific vuln mode) in their respective scope. * refactor: moving strategies initialization to main entry file to allow vuln strategies to be used by API + CLI. Add vuln strategy type to nsecure payload (+ typings) which is not used for now. * fix: cleaning security-wg test
- Loading branch information
1 parent
cb38008
commit 236c733
Showing
17 changed files
with
345 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
"use strict"; | ||
|
||
const VULN_MODE_DB_SECURITY_WG = "db_security_wg"; | ||
const VULN_MODE_NPM_AUDIT = "db_npm"; | ||
|
||
module.exports = { | ||
VULN_MODE_DB_SECURITY_WG, | ||
VULN_MODE_NPM_AUDIT | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* eslint-disable class-methods-use-this */ | ||
"use strict"; | ||
|
||
// Require Third-party Dependencies | ||
const Arborist = require("@npmcli/arborist"); | ||
|
||
// CONSTANTS | ||
const { constants } = require("../../utils"); | ||
const { VULN_MODE_NPM_AUDIT } = require("../strategies"); | ||
|
||
|
||
function NPMAuditStrategy() { | ||
return { | ||
type: VULN_MODE_NPM_AUDIT, | ||
hydrateNodeSecurePayload | ||
}; | ||
} | ||
|
||
async function hydrateNodeSecurePayload(dependencies) { | ||
const arborist = new Arborist({ ...constants.NPM_TOKEN, registry: constants.DEFAULT_REGISTRY_ADDR }); | ||
|
||
try { | ||
const { vulnerabilities } = (await arborist.audit()).toJSON(); | ||
|
||
Object.keys(vulnerabilities).forEach((packageName) => { | ||
const packageVulnerabilities = extractPackageVulnsFromSource(vulnerabilities[packageName]); | ||
const dependenciesVulnerabilities = dependencies.get(packageName).vulnerabilities; | ||
|
||
dependenciesVulnerabilities.push(packageVulnerabilities); | ||
}); | ||
} | ||
// eslint-disable-next-line no-empty | ||
catch {} | ||
} | ||
|
||
function extractPackageVulnsFromSource(packageVulnerabilities) { | ||
const vulnerabilitiesFromSource = []; | ||
const { via: vulnSources } = packageVulnerabilities; | ||
|
||
for (const vulnSource of vulnSources) { | ||
const { | ||
title, range, id, | ||
module_name: name, | ||
severity, version, | ||
vulnerableVersions | ||
} = vulnSource; | ||
|
||
const vulnerability = { | ||
title, | ||
module_name: name, | ||
severity, version, | ||
vulnerableVersions, | ||
range, | ||
id | ||
}; | ||
vulnerabilitiesFromSource.push(vulnerability); | ||
} | ||
|
||
return vulnerabilitiesFromSource; | ||
} | ||
|
||
|
||
module.exports = { NPMAuditStrategy }; |
Oops, something went wrong.