/
ecto.ex
46 lines (36 loc) · 997 Bytes
/
ecto.ex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
defmodule Sobelow.Vuln.Ecto do
@moduledoc """
# Ecto Version Lacks Protection Mechanism
For more information visit:
https://github.com/advisories/GHSA-2xxx-fhc8-9qvq
Ecto checks can be ignored with the following command:
$ mix sobelow -i Vuln.Ecto
"""
alias Sobelow.Config
alias Sobelow.Vuln
@uid 24
@finding_type "Vuln.Ecto: Known Vulnerable Dependency - Update Ecto"
use Sobelow.Finding
@vuln_vsn ["2.2.0"]
def run(root) do
plug_conf = root <> "/deps/ecto/mix.exs"
if File.exists?(plug_conf) do
vsn = Config.get_version(plug_conf)
case Version.parse(vsn) do
{:ok, vsn} ->
if Enum.any?(@vuln_vsn, fn v -> Version.match?(vsn, v) end) do
Vuln.print_finding(
plug_conf,
vsn,
"Ecto",
"Missing `is_nil` requirement",
"CVE-2017-20166",
"Ecto"
)
end
_ ->
nil
end
end
end
end