1 |
|
2 | var retire = require('./retire'),
|
3 | fs = require('fs'),
|
4 | crypto = require('crypto'),
|
5 | path = require('path'),
|
6 | utils = require('./utils'),
|
7 | emitter = new require('events').EventEmitter;
|
8 |
|
9 | var events = new emitter();
|
10 |
|
11 | var hash = {
|
12 | 'sha1' : function(data) {
|
13 | shasum = crypto.createHash('sha1');
|
14 | shasum.update(data);
|
15 | return shasum.digest('hex');
|
16 | }
|
17 | };
|
18 |
|
19 | function emitResults(finding, options) {
|
20 | removeIgnored(finding.results, options.ignore);
|
21 | if (!options.verbose) finding.results = finding.results.filter(f => retire.isVulnerable([f]));
|
22 | if (finding.results.length == 0) return;
|
23 | if (retire.isVulnerable(finding.results)) {
|
24 | events.emit('vulnerable-dependency-found', finding);
|
25 | } else {
|
26 | events.emit('dependency-found', finding);
|
27 | }
|
28 |
|
29 | }
|
30 |
|
31 | function shouldIgnorePath(fileSpecs, ignores) {
|
32 | return utils.detect(ignores.paths, function(i) {
|
33 | return utils.detect(fileSpecs, function(j) {
|
34 | return i.test(j) || i.test(path.resolve(j));
|
35 | });
|
36 | });
|
37 | }
|
38 |
|
39 | function removeIgnored(results, ignores) {
|
40 | if (!ignores.hasOwnProperty('descriptors')) return;
|
41 | results.forEach(function(r) {
|
42 | if (!r.hasOwnProperty('vulnerabilities')) return;
|
43 | ignores.descriptors.forEach(function(i) {
|
44 | if (r.component !== i.component) return;
|
45 | if (i.version && r.version !== i.version) return;
|
46 | if (i.severity && r.severity !== i.severity) return;
|
47 | if (i.identifiers) {
|
48 | removeIgnoredVulnerabilitiesByIdentifier(i.identifiers, r);
|
49 | return;
|
50 | }
|
51 | r.vulnerabilities = [];
|
52 | });
|
53 | if (r.vulnerabilities.length === 0) delete r.vulnerabilities;
|
54 | });
|
55 | }
|
56 |
|
57 | function removeIgnoredVulnerabilitiesByIdentifier(identifiers, result) {
|
58 | result.vulnerabilities = result.vulnerabilities.filter(function(v) {
|
59 | if (!v.hasOwnProperty("identifiers")) return true;
|
60 | return !utils.every(identifiers, function(key, value) { return hasIdentifier(v, key, value); });
|
61 | });
|
62 | }
|
63 | function hasIdentifier(vulnerability, key, value) {
|
64 | if (!vulnerability.identifiers.hasOwnProperty(key)) return false;
|
65 | var identifier = vulnerability.identifiers[key];
|
66 | return Array.isArray(identifier) ? identifier.some(function(x) { return x === value; }) : identifier === value;
|
67 | }
|
68 |
|
69 |
|
70 | function scanJsFile(file, repo, options) {
|
71 | if (options.ignore && shouldIgnorePath([file], options.ignore)) {
|
72 | return;
|
73 | }
|
74 | var results = retire.scanFileName(file, repo);
|
75 | if (!results || results.length === 0) {
|
76 | results = retire.scanFileContent(fs.readFileSync(file), repo, hash);
|
77 | }
|
78 | emitResults({file: file, results: results}, options);
|
79 | }
|
80 |
|
81 |
|
82 | function scanDependencies(dependencies, nodeRepo, options) {
|
83 | for (var i in dependencies) {
|
84 | var dependency = dependencies[i];
|
85 | var fileSpecs = [toModulePath(dependency)];
|
86 | if (dependency.component) {
|
87 | fileSpecs.push(dependency.component);
|
88 | }
|
89 |
|
90 | if (options.ignore && shouldIgnorePath(fileSpecs, options.ignore)) {
|
91 | continue;
|
92 | }
|
93 | results = retire.scanNodeDependency(dependencies[i].module, nodeRepo, options);
|
94 | emitResults({file: dependencies[i].file, results: results}, options);
|
95 | }
|
96 | }
|
97 |
|
98 | function toModulePath(dep) {
|
99 | function f(d) {
|
100 | if (d.parent) return f(d.parent) + '/node_modules/' + d.component;
|
101 | return '';
|
102 | }
|
103 | return path.resolve(f(dep).substring(1));
|
104 | }
|
105 |
|
106 |
|
107 |
|
108 | function scanBowerFile(file, repo, options) {
|
109 | if (options.ignore && shouldIgnorePath([file], options.ignore)) {
|
110 | return;
|
111 | }
|
112 | try {
|
113 | var bower = JSON.parse(fs.readFileSync(file));
|
114 | if (bower.version) {
|
115 | var results = retire.check(bower.name, bower.version, repo);
|
116 | emitResults({file: file, results: results}, options);
|
117 | }
|
118 | } catch (e) {
|
119 | options.log.warn('Could not parse file: ' + file);
|
120 | }
|
121 | }
|
122 |
|
123 |
|
124 |
|
125 | exports.scanDependencies = function(dependencies, nodeRepo, options) {
|
126 | return scanDependencies(dependencies, nodeRepo, options);
|
127 | };
|
128 | exports.scanJsFile = function(file, repo, options) {
|
129 | return scanJsFile(file, repo, options);
|
130 | };
|
131 | exports.scanBowerFile = function(file, repo, options) {
|
132 | return scanBowerFile(file, repo, options);
|
133 | };
|
134 | exports.on = function(name, listener) {
|
135 | events.on(name, listener);
|
136 | };
|
137 |
|
138 |
|