UNPKG

@nodesecure/vulnera

Version:

NodeSecure vulnerabilities strategies

77 lines 2.71 kB
/* eslint-disable no-empty */ // Import Internal Dependencies import { VULN_MODE } from "../constants.js"; import { formatVulnsPayload } from "../formats/index.js"; import { OSV } from "../database/index.js"; import { NodeDependencyExtractor } from "../extractor/index.js"; import * as utils from "../utils.js"; // CONSTANTS const kBatchSize = 1000; /** * Creates an OSV vulnerability scanning strategy that queries the OSV database * directly using the /v1/querybatch endpoint for efficient batch lookups. * No credentials are required for the OSV public API. */ export function OSVStrategy() { const db = new OSV(); return { strategy: VULN_MODE.OSV, hydratePayloadDependencies: hydratePayloadDependencies.bind(null, db), getVulnerabilities: getVulnerabilities.bind(null, db) }; } function toQuery({ name, version }) { return { version, package: { name, ecosystem: "npm" } }; } async function queryAndAnnotate(db, pairs) { const queries = pairs.map(toQuery); const allResults = []; for (const chunk of utils.chunkArray(queries, kBatchSize)) { const results = await db.queryBatch(chunk); allResults.push(...results); } const annotatedVulns = []; for (let i = 0; i < allResults.length; i++) { const result = allResults[i]; if (!result.vulns) { continue; } const { name } = pairs[i]; for (const vuln of result.vulns) { annotatedVulns.push({ ...vuln, package: name }); } } return annotatedVulns; } async function getVulnerabilities(db, path, options = {}) { const { useFormat } = options; const extractor = new NodeDependencyExtractor(); const packages = await extractor.extract(path); const annotatedVulns = await queryAndAnnotate(db, packages); return formatVulnsPayload(useFormat)(VULN_MODE.OSV, annotatedVulns); } async function hydratePayloadDependencies(db, dependencies, options = {}) { const { useFormat } = options; const pairs = []; for (const [name, dep] of dependencies) { for (const version of Object.keys(dep.versions)) { pairs.push({ name, version }); } } try { const annotatedVulns = await queryAndAnnotate(db, pairs); const formatVulnerabilities = formatVulnsPayload(useFormat); for (const annotated of annotatedVulns) { const dep = dependencies.get(annotated.package); if (dep) { const formatted = formatVulnerabilities(VULN_MODE.OSV, [annotated]); dep.vulnerabilities.push(...formatted); } } } catch { } } //# sourceMappingURL=osv.js.map