Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(arborist): dont skip adding advisories to audit based on name/range #4735

Merged
merged 1 commit into from
Apr 13, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 36 additions & 39 deletions workspaces/arborist/lib/audit-report.js
Original file line number Diff line number Diff line change
Expand Up @@ -134,61 +134,58 @@ class AuditReport extends Map {
const seen = new Set()
for (const advisory of advisories) {
const { name, range } = advisory

// don't flag the exact same name/range more than once
// adding multiple advisories with the same range is fine, but no
// need to search for nodes we already would have added.
const k = `${name}@${range}`
if (seen.has(k)) {
continue
}

seen.add(k)

const vuln = this.get(name) || new Vuln({ name, advisory })
if (this.has(name)) {
vuln.addAdvisory(advisory)
}
super.set(name, vuln)

const p = []
for (const node of this.tree.inventory.query('packageName', name)) {
if (!shouldAudit(node, this[_omit], this.filterSet)) {
continue
}
// don't flag the exact same name/range more than once
// adding multiple advisories with the same range is fine, but no
// need to search for nodes we already would have added.
if (!seen.has(k)) {
const p = []
for (const node of this.tree.inventory.query('packageName', name)) {
if (!shouldAudit(node, this[_omit], this.filterSet)) {
continue
}

// if not vulnerable by this advisory, keep searching
if (!advisory.testVersion(node.version)) {
continue
}
// if not vulnerable by this advisory, keep searching
if (!advisory.testVersion(node.version)) {
continue
}

// we will have loaded the source already if this is a metavuln
if (advisory.type === 'metavuln') {
vuln.addVia(this.get(advisory.dependency))
}
// we will have loaded the source already if this is a metavuln
if (advisory.type === 'metavuln') {
vuln.addVia(this.get(advisory.dependency))
}

// already marked this one, no need to do it again
if (vuln.nodes.has(node)) {
continue
}
// already marked this one, no need to do it again
if (vuln.nodes.has(node)) {
continue
}

// haven't marked this one yet. get its dependents.
vuln.nodes.add(node)
for (const { from: dep, spec } of node.edgesIn) {
if (dep.isTop && !vuln.topNodes.has(dep)) {
this[_checkTopNode](dep, vuln, spec)
} else {
// haven't marked this one yet. get its dependents.
vuln.nodes.add(node)
for (const { from: dep, spec } of node.edgesIn) {
if (dep.isTop && !vuln.topNodes.has(dep)) {
this[_checkTopNode](dep, vuln, spec)
} else {
// calculate a metavuln, if necessary
const calc = this.calculator.calculate(dep.packageName, advisory)
p.push(calc.then(meta => {
if (meta.testVersion(dep.version, spec)) {
advisories.add(meta)
}
}))
const calc = this.calculator.calculate(dep.packageName, advisory)
p.push(calc.then(meta => {
if (meta.testVersion(dep.version, spec)) {
advisories.add(meta)
}
}))
}
}
}
await Promise.all(p)
seen.add(k)
}
await Promise.all(p)

// make sure we actually got something. if not, remove it
// this can happen if you are loading from a lockfile created by
Expand Down
129 changes: 129 additions & 0 deletions workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = `
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 1325,
"name": "handlebars",
"dependency": "handlebars",
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 755,
"name": "handlebars",
Expand Down Expand Up @@ -448,6 +457,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = `
"url": "https://npmjs.com/advisories/1478",
"severity": "high",
"range": ">=4.1.0"
},
{
"source": 1479,
"name": "subtext",
"dependency": "subtext",
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1479",
"severity": "high",
"range": ">=0.0.0"
}
],
"effects": [],
Expand Down Expand Up @@ -558,6 +576,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp > json version 1
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 1325,
"name": "handlebars",
"dependency": "handlebars",
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 755,
"name": "handlebars",
Expand Down Expand Up @@ -918,6 +945,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with before: opt
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 1325,
"name": "handlebars",
"dependency": "handlebars",
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 755,
"name": "handlebars",
Expand Down Expand Up @@ -1278,6 +1314,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with newer endpo
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 1325,
"name": "handlebars",
"dependency": "handlebars",
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"severity": "high",
"range": "<3.0.8 || >=4.0.0 <4.5.3"
},
{
"source": 755,
"name": "handlebars",
Expand Down Expand Up @@ -2144,6 +2189,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down Expand Up @@ -2623,6 +2682,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down Expand Up @@ -2791,6 +2864,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down Expand Up @@ -3270,6 +3357,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down Expand Up @@ -3458,6 +3559,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down Expand Up @@ -3927,6 +4042,20 @@ Object {
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
"dependency": "handlebars",
"id": undefined,
"name": "handlebars",
"range": "<3.0.8 || >=4.0.0 <4.5.3",
"severity": "high",
"source": 1325,
"title": "Prototype Pollution",
"url": "https://npmjs.com/advisories/1325",
"versions": undefined,
"vulnerableVersions": undefined,
},
Object {
"cvss": undefined,
"cwe": undefined,
Expand Down