class Rondabot::NpmAndYarn

Attributes

dependencies[RW]

Public Class Methods

new(dependencies) click to toggle source
# File lib/module/NpmAndYarn.rb, line 11
def initialize dependencies
  @dependencies = dependencies
end

Public Instance Methods

audit() click to toggle source

Faz uma requisição do serviço do npm para verificar quais dependencias da lista são vulneráveis

Retorna uma lista de {

:name => "module name",
:patched_versions => [Rondabot::Version],
:current_version => Rondabot::Version

}

# File lib/module/NpmAndYarn.rb, line 25
def audit
  requires = {}
  dependencies = {}
  self.dependencies.each do |dep|
    # create the requires object
    requires[:"#{dep.name}"] = dep.requirements.first[:requirement]

    # create the dependencies object
    dependencies[:"#{dep.name}"] = {
      :version => dep.requirements.first[:requirement]
    }
  end

  body = {
    :name => "rondabot",
    :version => "1.0.0",
    :requires => requires,
    :dependencies => dependencies
  }

  response = request(
    url: URI("https://registry.npmjs.org/-/npm/v1/security/audits"),
    body: body
  )

  audit_data = response.read_body
  
  #
  # Com a resposta do serviço monta um objeto contendo a versão atual
  # e as versões com vulnerabilidades
  #
  vulnerable_versions = []
  if audit_data != nil && audit_data.length > 0
    object = JSON.parse(audit_data)
    vulnerabilidades(object).each do |vul|
      vulnerable_versions << vulnerable_version(object["advisories"], vul)
    end
  end
  return vulnerable_versions
end

Private Instance Methods

request(config) click to toggle source
# File lib/module/NpmAndYarn.rb, line 68
def request(config)

  https = Net::HTTP.new(config[:url].host, config[:url].port)
  https.use_ssl = true

  request = Net::HTTP::Post.new(config[:url])
  request["Content-Type"] = "application/json"
  request.body = config[:body].to_json

  return https.request(request)
end
vulnerabilidades(obj_audit_data) click to toggle source
# File lib/module/NpmAndYarn.rb, line 80
def vulnerabilidades(obj_audit_data)
  vulnerabs = []
  actions = obj_audit_data["actions"]
  if !actions.empty?
    actions.each do |action|
      resolves = action["resolves"]
      if !resolves.empty?
        resolves.each do |r|
          vulnerabs << {:id => r["id"]}
        end
      end
    end
  end
  return vulnerabs
end
vulnerable_version(advisories, vulnerability) click to toggle source
# File lib/module/NpmAndYarn.rb, line 96
def vulnerable_version(advisories, vulnerability)
  depend = advisories["#{vulnerability[:id]}"]
  return {
    :name => depend["module_name"],
    :patched_versions => Rondabot::Version.make(depend["patched_versions"]),
    :current_version => Rondabot::Version.new(depend["findings"].first["version"])
  }
end