Skip to content

Commit

Permalink
fix: support dependencies with multiple vulnerabilities when using npm 7
Browse files Browse the repository at this point in the history
  • Loading branch information
G-Rath committed Jun 10, 2021
1 parent be94f4d commit 63f84ee
Show file tree
Hide file tree
Showing 7 changed files with 563 additions and 9 deletions.
25 changes: 17 additions & 8 deletions src/audit.ts
Original file line number Diff line number Diff line change
Expand Up @@ -146,8 +146,20 @@ const toMapOfFindings = (findings: Finding[]): Record<string, Finding> => {
return theFindings;
};

type Npm7VulnerabilityWithAdvisory = Omit<Npm7Vulnerability, 'via'> & {
via: [Npm7Advisory];
/**
* Finds all the advisories that are included with the given record of
* `vulnerabilities` provided by the audit output of `npm` v7.
*
* @param {Record<string, Npm7Vulnerability>} vulnerabilities
*
* @return {Array<Npm7Advisory>}
*/
const findAdvisories = (
vulnerabilities: Record<string, Npm7Vulnerability>
): Npm7Advisory[] => {
return Object.values(vulnerabilities)
.reduce<Array<Npm7Advisory | string>>((all, { via }) => all.concat(via), [])
.filter((via): via is Npm7Advisory => typeof via === 'object');
};

const collectNpmAuditResults: AuditResultsCollector = async stdout => {
Expand Down Expand Up @@ -183,12 +195,9 @@ const collectNpmAuditResults: AuditResultsCollector = async stdout => {
if ('auditReportVersion' in auditOutput) {
resolve({
findings: toMapOfFindings(
Object.values(auditOutput.vulnerabilities)
.filter(
(vul): vul is Npm7VulnerabilityWithAdvisory =>
vul.via.length === 1 && typeof vul.via[0] === 'object'
)
.map(vul => npm7AdvisoryToFinding(vul.via[0]))
findAdvisories(auditOutput.vulnerabilities).map(via =>
npm7AdvisoryToFinding(via)
)
),
dependencyStatistics: extractDependencyStatisticsFromNpm7(
auditOutput.metadata
Expand Down
8 changes: 7 additions & 1 deletion test/fixtures/fixtures.json

Large diffs are not rendered by default.

121 changes: 121 additions & 0 deletions test/fixtures/serialize-to-js/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions test/fixtures/serialize-to-js/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"dependencies": {
"serialize-to-js": "1.0.0"
}
}
108 changes: 108 additions & 0 deletions test/fixtures/serialize-to-js/pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

111 changes: 111 additions & 0 deletions test/fixtures/serialize-to-js/yarn.lock
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


abbrev@1:
version "1.1.1"
resolved "https://registry.yarnpkg.com/abbrev/-/abbrev-1.1.1.tgz#f8f2c887ad10bf67f634f005b6987fed3179aac8"
integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==

bluebird@^3.0.5:
version "3.7.2"
resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f"
integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==

commander@^2.9.0:
version "2.20.3"
resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==

config-chain@~1.1.5:
version "1.1.13"
resolved "https://registry.yarnpkg.com/config-chain/-/config-chain-1.1.13.tgz#fad0795aa6a6cdaff9ed1b68e9dff94372c232f4"
integrity sha512-qj+f8APARXHrM0hraqXYb2/bOVSV4PvJQlNZ/DVj0QrmNM2q2euizkeuVckQ57J+W0mRH6Hvi+k50M4Jul2VRQ==
dependencies:
ini "^1.3.4"
proto-list "~1.2.1"

editorconfig@^0.13.2:
version "0.13.3"
resolved "https://registry.yarnpkg.com/editorconfig/-/editorconfig-0.13.3.tgz#e5219e587951d60958fd94ea9a9a008cdeff1b34"
integrity sha512-WkjsUNVCu+ITKDj73QDvi0trvpdDWdkDyHybDGSXPfekLCqwmpD7CP7iPbvBgosNuLcI96XTDwNa75JyFl7tEQ==
dependencies:
bluebird "^3.0.5"
commander "^2.9.0"
lru-cache "^3.2.0"
semver "^5.1.0"
sigmund "^1.0.1"

esprima@^3.1.3:
version "3.1.3"
resolved "https://registry.yarnpkg.com/esprima/-/esprima-3.1.3.tgz#fdca51cee6133895e3c88d535ce49dbff62a4633"
integrity sha1-/cpRzuYTOJXjyI1TXOSdv/YqRjM=

ini@^1.3.4:
version "1.3.8"
resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==

js-beautify@~1.6.8:
version "1.6.14"
resolved "https://registry.yarnpkg.com/js-beautify/-/js-beautify-1.6.14.tgz#d3b8f7322d02b9277d58bd238264c327e58044cd"
integrity sha1-07j3Mi0CuSd9WL0jgmTDJ+WARM0=
dependencies:
config-chain "~1.1.5"
editorconfig "^0.13.2"
mkdirp "~0.5.0"
nopt "~3.0.1"

lru-cache@^3.2.0:
version "3.2.0"
resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-3.2.0.tgz#71789b3b7f5399bec8565dda38aa30d2a097efee"
integrity sha1-cXibO39Tmb7IVl3aOKow0qCX7+4=
dependencies:
pseudomap "^1.0.1"

minimist@^1.2.5:
version "1.2.5"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

mkdirp@~0.5.0:
version "0.5.5"
resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.5.tgz#d91cefd62d1436ca0f41620e251288d420099def"
integrity sha512-NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==
dependencies:
minimist "^1.2.5"

nopt@~3.0.1:
version "3.0.6"
resolved "https://registry.yarnpkg.com/nopt/-/nopt-3.0.6.tgz#c6465dbf08abcd4db359317f79ac68a646b28ff9"
integrity sha1-xkZdvwirzU2zWTF/eaxopkayj/k=
dependencies:
abbrev "1"

proto-list@~1.2.1:
version "1.2.4"
resolved "https://registry.yarnpkg.com/proto-list/-/proto-list-1.2.4.tgz#212d5bfe1318306a420f6402b8e26ff39647a849"
integrity sha1-IS1b/hMYMGpCD2QCuOJv85ZHqEk=

pseudomap@^1.0.1:
version "1.0.2"
resolved "https://registry.yarnpkg.com/pseudomap/-/pseudomap-1.0.2.tgz#f052a28da70e618917ef0a8ac34c1ae5a68286b3"
integrity sha1-8FKijacOYYkX7wqKw0wa5aaChrM=

semver@^5.1.0:
version "5.7.1"
resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==

serialize-to-js@1.0.0:
version "1.0.0"
resolved "https://registry.yarnpkg.com/serialize-to-js/-/serialize-to-js-1.0.0.tgz#da5bb1061f0557efb230346628a188a8e0c02bb9"
integrity sha1-2luxBh8FV++yMDRmKKGIqODAK7k=
dependencies:
esprima "^3.1.3"
js-beautify "~1.6.8"

sigmund@^1.0.1:
version "1.0.1"
resolved "https://registry.yarnpkg.com/sigmund/-/sigmund-1.0.1.tgz#3ff21f198cad2175f9f3b781853fd94d0d19b590"
integrity sha1-P/IfGYytIXX587eBhT/ZTQ0ZtZA=
Loading

0 comments on commit 63f84ee

Please # to comment.