Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When an advisory lacks vulnerable_versions, use * #4

Closed
wants to merge 2 commits into from
Closed

When an advisory lacks vulnerable_versions, use * #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ab7a40f
When an advisory lacks vulnerable_versions, use *
isaacs Feb 13, 2021
a6717bf
When severity missing, treat as 'high' severity
isaacs Feb 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 6 additions & 2 deletions lib/advisory.js
View file
Open in desktop
Expand Up @@ -35,11 +35,15 @@ class Advisory {
this.url = null
}

this.severity = source.severity
this.severity = source.severity || 'high'
this.versions = []
this.vulnerableVersions = []

// advisories have the range, metavulns do not
this.range = source.vulnerable_versions || null
// if an advisory doesn't specify range, assume all are vulnerable
this.range = this.type === 'advisory' ? source.vulnerable_versions || '*'
: null

this.id = hash(this)

this[_packument] = null
Expand Down
35 changes: 35 additions & 0 deletions test/advisory.js
View file
Open in desktop
Expand Up @@ -322,3 +322,38 @@ t.test('a package with only prerelease versions', t => {
t.end()
})

t.test('default to * when no vulnerable_versions specified', t => {
const name = 'no-vulnerable-versions-specified'
const v = new Advisory(name, advisories[name])
t.same(v, {
source: 123456789,
name: 'no-vulnerable-versions-specified',
dependency: 'no-vulnerable-versions-specified',
title: 'No versions, so all are vulnerable',
url: 'https://npmjs.com/advisories/123456789',
severity: 'low',
versions: [],
vulnerableVersions: [],
range: '*',
id: 'scjW9DzqGzCfXM/NEoe9MtD/27lWe9N5ezyJTS2HbpWLiB4FNH5GNenSysezlswMnQwIUtWkVPbWUqRJtUfUJA==',
}, 'default to all versions being considered vulnerable')
t.end()
})

t.test('default to "high" when no severity specified', t => {
const name = 'no-severity-specified'
const v = new Advisory(name, advisories[name])
t.same(v, {
source: 123456789,
name: 'no-severity-specified',
dependency: 'no-severity-specified',
title: 'No severity, so high severity',
url: 'https://npmjs.com/advisories/123456789',
severity: 'high',
versions: [],
vulnerableVersions: [],
range: '1.x',
id: 'ajZ5Jt7T99fpH0t8LgyBbDVivYlv/1OGrs/o+D8KmLDl+LKTjObUEt19cAZGaWdqiemuQOnvdZD577nKU+giIQ==',
}, 'default to all versions being considered vulnerable')
t.end()
})
6 changes: 6 additions & 0 deletions test/fixtures/advisories/no-severity-specified.json
View file
Open in desktop
@@ -0,0 +1,6 @@
{
"id": 123456789,
"url": "https://npmjs.com/advisories/123456789",
"title": "No severity, so high severity",
"vulnerable_versions": "1.x"
}
6 changes: 6 additions & 0 deletions test/fixtures/advisories/no-vulnerable-versions-specified.json
View file
Open in desktop
@@ -0,0 +1,6 @@
{
"id": 123456789,
"url": "https://npmjs.com/advisories/123456789",
"title": "No versions, so all are vulnerable",
"severity": "low"
}