Skip to content

Commit

Permalink
deps: @npmcli/metavuln-calculator@3.1.0 (#4674)
Browse files Browse the repository at this point in the history
* include cwe and cvss in advisories
  • Loading branch information
wraithgar authored Apr 4, 2022
1 parent de4de30 commit aaf86f6
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 36 deletions.
44 changes: 23 additions & 21 deletions node_modules/@npmcli/metavuln-calculator/lib/advisory.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ class Advisory {
this.severity = source.severity || 'high'
this.versions = []
this.vulnerableVersions = []
this.cwe = source.cwe
this.cvss = source.cvss

// advisories have the range, metavulns do not
// if an advisory doesn't specify range, assume all are vulnerable
Expand Down Expand Up @@ -326,7 +328,7 @@ class Advisory {
list.push(v)
}

for (const list of versionSets) {
for (const set of versionSets) {
// it's common to have version lists like:
// 1.0.0
// 1.0.1-alpha.0
Expand All @@ -340,54 +342,54 @@ class Advisory {
// 1.0.2
// with a huge number of prerelease versions that are not installable
// anyway.
// If mid has a prerelease tag, and list[0] does not, then walk it
// If mid has a prerelease tag, and set[0] does not, then walk it
// back until we hit a non-prerelease version
// If mid has a prerelease tag, and list[list.length-1] does not,
// If mid has a prerelease tag, and set[set.length-1] does not,
// then walk it forward until we hit a version without a prerelease tag
// Similarly, if the head/tail is a prerelease, but there is a non-pr
// version in the list, then start there instead.
// version in the set, then start there instead.
let h = 0
const origHeadVuln = this.testVersion(list[h])
while (h < list.length && /-/.test(String(list[h]))) {
const origHeadVuln = this.testVersion(set[h])
while (h < set.length && /-/.test(String(set[h]))) {
h++
}

// don't filter out the whole list! they might all be pr's
if (h === list.length) {
if (h === set.length) {
h = 0
} else if (origHeadVuln) {
// if the original was vulnerable, assume so are all of these
for (let hh = 0; hh < h; hh++) {
this[_markVulnerable](list[hh])
this[_markVulnerable](set[hh])
}
}

let t = list.length - 1
const origTailVuln = this.testVersion(list[t])
while (t > h && /-/.test(String(list[t]))) {
let t = set.length - 1
const origTailVuln = this.testVersion(set[t])
while (t > h && /-/.test(String(set[t]))) {
t--
}

// don't filter out the whole list! might all be pr's
if (t === h) {
t = list.length - 1
t = set.length - 1
} else if (origTailVuln) {
// if original tail was vulnerable, assume these are as well
for (let tt = list.length - 1; tt > t; tt--) {
this[_markVulnerable](list[tt])
for (let tt = set.length - 1; tt > t; tt--) {
this[_markVulnerable](set[tt])
}
}

const headVuln = h === 0 ? origHeadVuln
: this.testVersion(list[h])
: this.testVersion(set[h])

const tailVuln = t === list.length - 1 ? origTailVuln
: this.testVersion(list[t])
const tailVuln = t === set.length - 1 ? origTailVuln
: this.testVersion(set[t])

// if head and tail both vulnerable, whole list is thrown out
if (headVuln && tailVuln) {
for (let v = h; v < t; v++) {
this[_markVulnerable](list[v])
this[_markVulnerable](set[v])
}
continue
}
Expand All @@ -397,9 +399,9 @@ class Advisory {
continue
}

const mid = Math.floor(list.length / 2)
const pre = list.slice(0, mid)
const post = list.slice(mid)
const mid = Math.floor(set.length / 2)
const pre = set.slice(0, mid)
const post = set.slice(mid)

// if the parent list wasn't prereleases, then drop pr tags
// from end of the pre list, and beginning of the post list,
Expand Down
27 changes: 16 additions & 11 deletions node_modules/@npmcli/metavuln-calculator/package.json
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
{
"name": "@npmcli/metavuln-calculator",
"version": "3.0.1",
"version": "3.1.0",
"main": "lib/index.js",
"files": [
"bin",
"lib"
"bin/",
"lib/"
],
"description": "Calculate meta-vulnerabilities from package security advisories",
"repository": "https://github.com/npm/metavuln-calculator",
"repository": {
"type": "git",
"url": "https://github.com/npm/metavuln-calculator.git"
},
"author": "GitHub Inc.",
"license": "ISC",
"scripts": {
Expand All @@ -19,19 +22,20 @@
"postversion": "npm publish",
"prepublishOnly": "git push origin --follow-tags",
"eslint": "eslint",
"lint": "eslint '**/*.js'",
"lint": "eslint \"**/*.js\"",
"lintfix": "npm run lint -- --fix",
"postlint": "npm-template-check",
"template-copy": "npm-template-copy --force"
"postlint": "template-oss-check",
"template-oss-apply": "template-oss-apply --force"
},
"tap": {
"check-coverage": true,
"coverage-map": "map.js"
},
"devDependencies": {
"@npmcli/template-oss": "^2.9.2",
"@npmcli/eslint-config": "^3.0.1",
"@npmcli/template-oss": "3.2.0",
"require-inject": "^1.4.4",
"tap": "^15.1.6"
"tap": "^16.0.1"
},
"dependencies": {
"cacache": "^16.0.0",
Expand All @@ -40,9 +44,10 @@
"semver": "^7.3.5"
},
"engines": {
"node": "^12.13.0 || ^14.15.0 || >=16"
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
},
"templateOSS": {
"version": "2.9.2"
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "3.2.0"
}
}
11 changes: 7 additions & 4 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -936,16 +936,17 @@
}
},
"node_modules/@npmcli/metavuln-calculator": {
"version": "3.0.1",
"license": "ISC",
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-3.1.0.tgz",
"integrity": "sha512-Q5fbQqGDlYqk7kWrbg6E2j/mtqQjZop0ZE6735wYA1tYNHguIDjAuWs+kFb5rJCkLIlXllfapvsyotYKiZOTBA==",
"dependencies": {
"cacache": "^16.0.0",
"json-parse-even-better-errors": "^2.3.1",
"pacote": "^13.0.3",
"semver": "^7.3.5"
},
"engines": {
"node": "^12.13.0 || ^14.15.0 || >=16"
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
}
},
"node_modules/@npmcli/move-file": {
Expand Down Expand Up @@ -10311,7 +10312,9 @@
}
},
"@npmcli/metavuln-calculator": {
"version": "3.0.1",
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-3.1.0.tgz",
"integrity": "sha512-Q5fbQqGDlYqk7kWrbg6E2j/mtqQjZop0ZE6735wYA1tYNHguIDjAuWs+kFb5rJCkLIlXllfapvsyotYKiZOTBA==",
"requires": {
"cacache": "^16.0.0",
"json-parse-even-better-errors": "^2.3.1",
Expand Down

0 comments on commit aaf86f6

Please sign in to comment.