n.kolosnaj/SimfonyBasics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b0e4dfbb76e1240bc64ec09f567ff948c453faac
SimfonyBasics/spa/node_modules/@npmcli/metavuln-calculator/README.md
nkolosnjaj b0e4dfbb76 Last commit july 5th
2024-07-05 13:46:23 +02:00

290 lines
10 KiB
Markdown
Raw Blame History

# @npmcli/metavuln-calculator
Calculate meta-vulnerabilities from package security advisories
This is a pretty low-level package to abstract out the parts of
[@npmcli/arborist](http://npm.im/@npmcli/arborist) that calculate
metavulnerabilities from security advisories. If you just want to get an
audit for a package tree, probably what you want to use is
`arborist.audit()`.
## USAGE
```js
const Calculator = require('@npmcli/metavuln-calculator')
// pass in any options for cacache and pacote
// see those modules for option descriptions
const calculator = new Calculator(options)
// get an advisory somehow, typically by POSTing a JSON payload like:
// {"pkgname":["1.2.3","4.3.5", ...versions], ...packages}
// to /-/npm/v1/security/advisories/bulk
// to get a payload response like:
// {
// "semver": [
// {
// "id": 31,
// "url": "https://npmjs.com/advisories/31",
// "title": "Regular Expression Denial of Service",
// "severity": "moderate",
// "vulnerable_versions": "<4.3.2"
// }
// ],
// ...advisories
// }
const arb = new Aborist(options)
const tree = await arb.loadActual()
const advisories = await getBulkAdvisoryReportSomehow(tree)
// then to get a comprehensive set of advisories including metavulns:
const set = new Set()
for (const [name, advisory] of Object.entries(advisories)) {
// make sure we have the advisories loaded with latest version lists
set.add(await calculator.calculate(name, {advisory}))
}
for (const vuln of set) {
for (const node of tree.inventory.query('name', vuln.name)) {
// not vulnerable, just keep looking
if (!vuln.testVersion(node.version))
continue
for (const { from: dep, spec } of node.edgesIn) {
const metaAdvisory = await calculator.calculate(dep.name, vuln)
if (metaAdvisory.testVersion(dep.version, spec)) {
set.add(metaAdvisory)
}
}
}
}
```
## API
### Class: Advisory
The `Calculator.calculate` method returns a Promise that resolves to a
`Advisory` object, filled in from the cache and updated if necessary with
the available advisory data.
Do not instantiate `Advisory` objects directly. Use the `calculate()`
method to get one with appropriate data filled in.
Do not mutate `Advisory` objects. Use the supplied methods only.
#### Fields
- `name` The name of the package that this vulnerability is about
- `id` The unique cache key for this vuln or metavuln. (See **Cache Keys**
below.)
- `dependency` For metavulns, the dependency that causes this package to be
have a vulnerability. For advisories, the same as `name`.
- `type` Either `'advisory'` or `'metavuln'`, depending on the type of
vulnerability that this object represents.
- `url` The url for the advisory (`null` for metavulns)
- `title` The text title of the advisory or metavuln
- `severity` The severity level info/low/medium/high/critical
- `range` The range that is vulnerable
- `versions` The set of available versions of the package
- `vulnerableVersions` The set of versions that are vulnerable
- `source` The numeric ID of the advisory, or the cache key of the
vulnerability that causes this metavuln
- `updated` Boolean indicating whether this vulnerability was updated since
being read from cache.
- `packument` The packument object for the package that this vulnerability
is about.
#### `vuln.testVersion(version, [dependencySpecifier]) -> Boolean`
Check to see if a given version is vulnerable. Returns `true` if the
version is vulnerable, and should be avoided.
For metavulns, `dependencySpecifier` indicates the version range of the
source of the vulnerability, which the module depends on. If not provided,
will attempt to read from the packument. If not provided, and unable to
read from the packument, then `true` is returned, indicating that the (not
installable) package version should be avoided.
#### Cache Keys
The cache keys are calculated by hashing together the `source` and `name`
fields, prefixing with the string `'security-advisory:'` and the name of
the dependency that is vulnerable.
So, a third-level metavulnerability might have a key like:
```
'security-advisory:foo:'+ hash(['foo', hash(['bar', hash(['baz', 123])])])
```
Thus, the cached entry with this key would reflect the version of `foo`
that is vulnerable by virtue of dependending exclusively on versions of
`bar` which are vulnerable by virtue of depending exclusively on versions
of `baz` which are vulnerable by virtue of advisory ID `123`.
Loading advisory data entirely from cache without hitting an npm registry
security advisory endpoint is not supported at this time, but technically
possible, and likely to come in a future version of this library.
### `calculator = new Calculator(options)`
Options object is used for `cacache` and `pacote` calls.
### `calculator.calculate(name, source)`
- `name` The name of the package that the advisory is about
- `source` Advisory object from the npm security endpoint, or a `Advisory`
object returned by a previous call to the `calculate()` method.
"Advisory" objects need to have:
- `id` id of the advisory or Advisory object
- `vulnerable_versions` range of versions affected
- `url`
- `title`
- `severity`
Fetches the packument and returns a Promise that resolves to a
vulnerability object described above.
Will perform required I/O to fetch package metadata from registry and
read from cache. Advisory information written back to cache.
## Dependent Version Sampling
Typically, dependency ranges don't change very frequently, and the most
recent version published on a given release line is most likely to contain
the fix for a given vulnerability.
So, we see things like this:
```
3.0.4 - not vulnerable
3.0.3 - vulnerable
3.0.2 - vulnerable
3.0.1 - vulnerable
3.0.0 - vulnerable
2.3.107 - not vulnerable
2.3.106 - not vulnerable
2.3.105 - vulnerable
... 523 more vulnerable versions ...
2.0.0 - vulnerable
1.1.102 - not vulnerable
1.1.101 - vulnerable
... 387 more vulnerable versions ...
0.0.0 - vulnerable
```
In order to determine which versions of a package are affected by a
vulnerability in a dependency, this module uses the following algorithm to
minimize the number of tests required by performing a binary search on each
version set, and presuming that versions _between_ vulnerable versions
within a given set are also vulnerable.
1. Sort list of available versions by SemVer precedence
2. Group versions into sets based on MAJOR/MINOR versions.
3.0.0 - 3.0.4
2.3.0 - 2.3.107
2.2.0 - 2.2.43
2.1.0 - 2.1.432
2.0.0 - 2.0.102
1.1.0 - 1.1.102
1.0.0 - 1.0.157
0.1.0 - 0.1.123
0.0.0 - 0.0.57
3. Test the highest and lowest in each MAJOR/MINOR set, and mark highest
and lowest with known-vulnerable status. (`(s)` means "safe" and `(v)`
means "vulnerable".)
3.0.0(v) - 3.0.4(s)
2.3.0(v) - 2.3.107(s)
2.2.0(v) - 2.2.43(v)
2.1.0(v) - 2.1.432(v)
2.0.0(v) - 2.0.102(v)
1.1.0(v) - 1.1.102(s)
1.0.0(v) - 1.0.157(v)
0.1.0(v) - 0.1.123(v)
0.0.0(v) - 0.0.57(v)
4. For each set of package versions:
1. If highest and lowest both vulnerable, assume entire set is
vulnerable, and continue to next set. Ie, in the example, throw out
the following version sets:
2.2.0(v) - 2.2.43(v)
2.1.0(v) - 2.1.432(v)
2.0.0(v) - 2.0.102(v)
1.0.0(v) - 1.0.157(v)
0.1.0(v) - 0.1.123(v)
0.0.0(v) - 0.0.57(v)
2. Test middle version MID in set, splitting into two sets.
3.0.0(v) - 3.0.2(v) - 3.0.4(s)
2.3.0(v) - 2.3.54(v) - 2.3.107(s)
1.1.0(v) - 1.1.51(v) - 1.1.102(s)
3. If any untested versions in Set(mid..highest) or Set(lowest..mid),
add to list of sets to test.
3.0.0(v) - 3.0.2(v) <-- thrown out on next iteration
3.0.2(v) - 3.0.4(s)
2.3.0(v) - 2.3.54(v) <-- thrown out on next iteration
2.3.54(v) - 2.3.107(s)
1.1.0(v) - 1.1.51(v) <-- thrown out on next iteration
1.1.51(v) - 1.1.102(s)
When the process finishes, all versions are either confirmed safe, or
confirmed/assumed vulnerable, and we avoid checking large sets of versions
where vulnerabilities went unfixed.
### Testing Version for MetaVuln Status
When the dependency is in `bundleDependencies`, we treat any dependent
version that _may_ be vulnerable as a vulnerability. If the dependency is
not in `bundleDependencies`, then we treat the dependent module as a
vulnerability if it can _only_ resolve to dependency versions that are
vulnerable.
This relies on the reasonable assumption that the version of a bundled
dependency will be within the stated dependency range, and accounts for the
fact that we can't know ahead of time which version of a dependency may be
bundled. So, we avoid versions that _may_ bundle a vulnerable dependency.
For example:
Package `foo` depends on package `bar` at the following version ranges:
```
foo version bar version range
1.0.0 ^1.2.3
1.0.1 ^1.2.4
1.0.2 ^1.2.5
1.1.0 ^1.3.1
1.1.1 ^1.3.2
1.1.2 ^1.3.3
2.0.0 ^2.0.0
2.0.1 ^2.0.1
2.0.2 ^2.0.2
```
There is an advisory for `bar@1.2.4 - 1.3.2`. So:
```
foo version vulnerable?
1.0.0 if bundled (can use 1.2.3, which is not vulnerable)
1.0.1 yes (must use ^1.2.4, entirely contained in vuln range)
1.0.2 yes (must use ^1.2.5, entirely contained in vuln range)
1.1.0 if bundled (can use 1.3.3, which is not vulnerable)
1.1.1 if bundled (can use 1.3.3, which is not vulnerable)
1.1.2 no (dep is outside of vuln range)
2.0.0 no (dep is outside of vuln range)
2.0.1 no (dep is outside of vuln range)
2.0.2 no (dep is outside of vuln range)
```
To test a package version for metaVulnerable status, we attempt to load the
manifest of the dependency, using the vulnerable version set as the `avoid`
versions. If we end up selecting a version that should be avoided, then
that means that the package is vulnerable by virtue of its dependency.
Reference in New Issue View Git Blame Copy Permalink