Skip to content

Commit

Permalink
When an advisory lacks vulnerable_versions, use *
Browse files Browse the repository at this point in the history 
Re: npm/cli#1875
  • Loading branch information
@isaacs
isaacs committed Feb 13, 2021
1 parent 5b71911 commit 3df1d29
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 1 deletion.
6 changes: 5 additions & 1 deletion lib/advisory.js
View file
Expand Up @@ -38,8 +38,12 @@ class Advisory {
this.severity = source.severity
this.versions = []
this.vulnerableVersions = []

// advisories have the range, metavulns do not
this.range = source.vulnerable_versions || null
// if an advisory doesn't specify range, assume all are vulnerable
this.range = this.type === 'advisory' ? source.vulnerable_versions || '*'
: null

this.id = hash(this)

this[_packument] = null
Expand Down
17 changes: 17 additions & 0 deletions test/advisory.js
View file
Expand Up @@ -322,3 +322,20 @@ t.test('a package with only prerelease versions', t => {
t.end()
})

t.test('default to * when no vulnerable_versions specified', t => {
const name = 'no-vulnerable-versions-specified'
const v = new Advisory(name, advisories[name])
t.same(v, {
source: 123456789,
name: 'no-vulnerable-versions-specified',
dependency: 'no-vulnerable-versions-specified',
title: 'No versions, so all are vulnerabje',
url: 'https://npmjs.com/advisories/123456789',
severity: 'low',
versions: [],
vulnerableVersions: [],
range: '*',
id: 'scjW9DzqGzCfXM/NEoe9MtD/27lWe9N5ezyJTS2HbpWLiB4FNH5GNenSysezlswMnQwIUtWkVPbWUqRJtUfUJA==',
}, 'default to all versions being considered vulnerable')
t.end()
})
6 changes: 6 additions & 0 deletions test/fixtures/advisories/no-vulnerable-versions-specified.json
View file
@@ -0,0 +1,6 @@
{
"id": 123456789,
"url": "https://npmjs.com/advisories/123456789",
"title": "No versions, so all are vulnerabje",
"severity": "low"
}

0 comments on commit 3df1d29

Please sign in to comment.