From ab7a40f2b09dec8b2c2b4e5b13c8d9a3544b47a2 Mon Sep 17 00:00:00 2001 From: isaacs Date: Fri, 12 Feb 2021 16:26:00 -0800 Subject: [PATCH] When an advisory lacks vulnerable_versions, use * Re: https://github.com/npm/cli/issues/1875 --- lib/advisory.js | 6 +++++- test/advisory.js | 17 +++++++++++++++++ .../no-vulnerable-versions-specified.json | 6 ++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/advisories/no-vulnerable-versions-specified.json diff --git a/lib/advisory.js b/lib/advisory.js index 4ce00bf..a75c097 100644 --- a/lib/advisory.js +++ b/lib/advisory.js @@ -38,8 +38,12 @@ class Advisory { this.severity = source.severity this.versions = [] this.vulnerableVersions = [] + // advisories have the range, metavulns do not - this.range = source.vulnerable_versions || null + // if an advisory doesn't specify range, assume all are vulnerable + this.range = this.type === 'advisory' ? source.vulnerable_versions || '*' + : null + this.id = hash(this) this[_packument] = null diff --git a/test/advisory.js b/test/advisory.js index 2014d68..410bd5b 100644 --- a/test/advisory.js +++ b/test/advisory.js @@ -322,3 +322,20 @@ t.test('a package with only prerelease versions', t => { t.end() }) +t.test('default to * when no vulnerable_versions specified', t => { + const name = 'no-vulnerable-versions-specified' + const v = new Advisory(name, advisories[name]) + t.same(v, { + source: 123456789, + name: 'no-vulnerable-versions-specified', + dependency: 'no-vulnerable-versions-specified', + title: 'No versions, so all are vulnerable', + url: 'https://npmjs.com/advisories/123456789', + severity: 'low', + versions: [], + vulnerableVersions: [], + range: '*', + id: 'scjW9DzqGzCfXM/NEoe9MtD/27lWe9N5ezyJTS2HbpWLiB4FNH5GNenSysezlswMnQwIUtWkVPbWUqRJtUfUJA==', + }, 'default to all versions being considered vulnerable') + t.end() +}) diff --git a/test/fixtures/advisories/no-vulnerable-versions-specified.json b/test/fixtures/advisories/no-vulnerable-versions-specified.json new file mode 100644 index 0000000..92b402a --- /dev/null +++ b/test/fixtures/advisories/no-vulnerable-versions-specified.json @@ -0,0 +1,6 @@ +{ + "id": 123456789, + "url": "https://npmjs.com/advisories/123456789", + "title": "No versions, so all are vulnerable", + "severity": "low" +}