@nodesecure/vulnera
Version:
NodeSecure vulnerabilities strategies
77 lines • 2.71 kB
JavaScript
/* eslint-disable no-empty */
// Import Internal Dependencies
import { VULN_MODE } from "../constants.js";
import { formatVulnsPayload } from "../formats/index.js";
import { OSV } from "../database/index.js";
import { NodeDependencyExtractor } from "../extractor/index.js";
import * as utils from "../utils.js";
// CONSTANTS
const kBatchSize = 1000;
/**
* Creates an OSV vulnerability scanning strategy that queries the OSV database
* directly using the /v1/querybatch endpoint for efficient batch lookups.
* No credentials are required for the OSV public API.
*/
export function OSVStrategy() {
const db = new OSV();
return {
strategy: VULN_MODE.OSV,
hydratePayloadDependencies: hydratePayloadDependencies.bind(null, db),
getVulnerabilities: getVulnerabilities.bind(null, db)
};
}
function toQuery({ name, version }) {
return {
version,
package: { name, ecosystem: "npm" }
};
}
async function queryAndAnnotate(db, pairs) {
const queries = pairs.map(toQuery);
const allResults = [];
for (const chunk of utils.chunkArray(queries, kBatchSize)) {
const results = await db.queryBatch(chunk);
allResults.push(...results);
}
const annotatedVulns = [];
for (let i = 0; i < allResults.length; i++) {
const result = allResults[i];
if (!result.vulns) {
continue;
}
const { name } = pairs[i];
for (const vuln of result.vulns) {
annotatedVulns.push({ ...vuln, package: name });
}
}
return annotatedVulns;
}
async function getVulnerabilities(db, path, options = {}) {
const { useFormat } = options;
const extractor = new NodeDependencyExtractor();
const packages = await extractor.extract(path);
const annotatedVulns = await queryAndAnnotate(db, packages);
return formatVulnsPayload(useFormat)(VULN_MODE.OSV, annotatedVulns);
}
async function hydratePayloadDependencies(db, dependencies, options = {}) {
const { useFormat } = options;
const pairs = [];
for (const [name, dep] of dependencies) {
for (const version of Object.keys(dep.versions)) {
pairs.push({ name, version });
}
}
try {
const annotatedVulns = await queryAndAnnotate(db, pairs);
const formatVulnerabilities = formatVulnsPayload(useFormat);
for (const annotated of annotatedVulns) {
const dep = dependencies.get(annotated.package);
if (dep) {
const formatted = formatVulnerabilities(VULN_MODE.OSV, [annotated]);
dep.vulnerabilities.push(...formatted);
}
}
}
catch { }
}
//# sourceMappingURL=osv.js.map