UNPKG

@nodesecure/vulnera

Version:

NodeSecure vulnerabilities strategies

112 lines 4.04 kB
// Import Internal Dependencies import { VULN_MODE } from "../../constants.js"; import * as utils from "../../utils.js"; function mapFromNPM(vuln) { const hasCVSS = typeof vuln.cvss !== "undefined"; return { id: String(vuln.source), origin: VULN_MODE.GITHUB_ADVISORY, package: vuln.name, title: vuln.title, url: vuln.url, severity: utils.standardizeNpmSeverity(vuln.severity), vulnerableRanges: utils.fromMaybeStringToArray(vuln.range), vulnerableVersions: utils.fromMaybeStringToArray(vuln.vulnerableVersions), ...(hasCVSS ? { cvssScore: vuln.cvss.score, cvssVector: vuln.cvss.vectorString } : {}) }; } function mapFromPnpm(vuln) { const hasCVSS = typeof vuln.cvss !== "undefined"; return { id: String(vuln.id), origin: VULN_MODE.GITHUB_ADVISORY, package: vuln.module_name, title: vuln.title, description: vuln.overview, url: vuln.url, severity: utils.standardizeNpmSeverity(vuln.severity), cves: vuln.cves, patchedVersions: vuln.patched_versions, vulnerableRanges: [], vulnerableVersions: utils.fromMaybeStringToArray(vuln.vulnerable_versions), ...(hasCVSS ? { cvssScore: vuln.cvss.score, cvssVector: vuln.cvss.vectorString } : {}) }; } function mapFromSonatype(vuln) { return { id: vuln.id, origin: VULN_MODE.SONATYPE, package: vuln.package, title: vuln.title, url: vuln.reference, description: vuln.description, vulnerableRanges: vuln.versionRanges ?? [], vulnerableVersions: vuln.versionRanges ?? [], cves: utils.fromMaybeStringToArray(vuln.cve), cvssVector: vuln.cvssVector, cvssScore: vuln.cvssScore }; } function osvSeverityToStandard(severity) { const lower = severity.toLowerCase(); if (lower === "moderate") { return "medium"; } if (lower === "low" || lower === "medium" || lower === "high" || lower === "critical" || lower === "info") { return lower; } return undefined; } function mapFromOSV(vuln) { const advisoryRef = vuln.references?.find((r) => r.type === "ADVISORY") ?? vuln.references?.[0]; const cves = vuln.aliases?.filter((a) => a.startsWith("CVE-")) ?? []; const affected = vuln.affected?.[0]; const vulnerableVersions = affected?.versions ?? []; const semverRanges = affected?.ranges?.filter((r) => r.type === "SEMVER") ?? []; const vulnerableRanges = semverRanges.flatMap((range) => { const ranges = []; let intro; for (const event of range.events) { if (event.introduced !== undefined) { intro = event.introduced; } else if (event.fixed !== undefined && intro !== undefined) { ranges.push(`>=${intro} <${event.fixed}`); intro = undefined; } } return ranges; }); const patchedVersions = semverRanges .flatMap((r) => r.events.filter((e) => e.fixed !== undefined).map((e) => e.fixed)) .join(" || ") || undefined; const cvssEntry = vuln.severity?.[0]; const cvssVector = cvssEntry?.score; const dbSeverity = vuln.database_specific?.severity; const severity = dbSeverity ? osvSeverityToStandard(dbSeverity) : undefined; return { id: vuln.id, origin: VULN_MODE.OSV, package: vuln.package, title: vuln.summary, description: vuln.details, url: advisoryRef?.url, severity, cves: cves.length > 0 ? cves : undefined, cvssVector, vulnerableVersions, vulnerableRanges, patchedVersions }; } export const STANDARD_VULN_MAPPERS = Object.freeze({ [VULN_MODE.GITHUB_ADVISORY]: mapFromNPM, "github-advisory_pnpm": mapFromPnpm, [VULN_MODE.SONATYPE]: mapFromSonatype, [VULN_MODE.OSV]: mapFromOSV }); //# sourceMappingURL=mappers.js.map