diff options
| author | Gar <gar+gh@danger.computer> | 2022-04-04 21:43:32 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-04 21:43:32 +0300 |
| commit | aaf86f61836c45b254794785f0a2e8f43dc38800 (patch) | |
| tree | 4ced58539233c5f57375899564763d86d3025cc7 /node_modules | |
| parent | de4de302e3562721ed2d6410182d493c36974e37 (diff) | |
deps: @npmcli/metavuln-calculator@3.1.0 (#4674)
* include cwe and cvss in advisories
Diffstat (limited to 'node_modules')
| -rw-r--r-- | node_modules/@npmcli/metavuln-calculator/lib/advisory.js | 44 | ||||
| -rw-r--r-- | node_modules/@npmcli/metavuln-calculator/package.json | 27 |
2 files changed, 39 insertions, 32 deletions
diff --git a/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/node_modules/@npmcli/metavuln-calculator/lib/advisory.js index 5b58ef637..d30838e73 100644 --- a/node_modules/@npmcli/metavuln-calculator/lib/advisory.js +++ b/node_modules/@npmcli/metavuln-calculator/lib/advisory.js @@ -39,6 +39,8 @@ class Advisory { this.severity = source.severity || 'high' this.versions = [] this.vulnerableVersions = [] + this.cwe = source.cwe + this.cvss = source.cvss // advisories have the range, metavulns do not // if an advisory doesn't specify range, assume all are vulnerable @@ -326,7 +328,7 @@ class Advisory { list.push(v) } - for (const list of versionSets) { + for (const set of versionSets) { // it's common to have version lists like: // 1.0.0 // 1.0.1-alpha.0 @@ -340,54 +342,54 @@ class Advisory { // 1.0.2 // with a huge number of prerelease versions that are not installable // anyway. - // If mid has a prerelease tag, and list[0] does not, then walk it + // If mid has a prerelease tag, and set[0] does not, then walk it // back until we hit a non-prerelease version - // If mid has a prerelease tag, and list[list.length-1] does not, + // If mid has a prerelease tag, and set[set.length-1] does not, // then walk it forward until we hit a version without a prerelease tag // Similarly, if the head/tail is a prerelease, but there is a non-pr - // version in the list, then start there instead. + // version in the set, then start there instead. let h = 0 - const origHeadVuln = this.testVersion(list[h]) - while (h < list.length && /-/.test(String(list[h]))) { + const origHeadVuln = this.testVersion(set[h]) + while (h < set.length && /-/.test(String(set[h]))) { h++ } // don't filter out the whole list! they might all be pr's - if (h === list.length) { + if (h === set.length) { h = 0 } else if (origHeadVuln) { // if the original was vulnerable, assume so are all of these for (let hh = 0; hh < h; hh++) { - this[_markVulnerable](list[hh]) + this[_markVulnerable](set[hh]) } } - let t = list.length - 1 - const origTailVuln = this.testVersion(list[t]) - while (t > h && /-/.test(String(list[t]))) { + let t = set.length - 1 + const origTailVuln = this.testVersion(set[t]) + while (t > h && /-/.test(String(set[t]))) { t-- } // don't filter out the whole list! might all be pr's if (t === h) { - t = list.length - 1 + t = set.length - 1 } else if (origTailVuln) { // if original tail was vulnerable, assume these are as well - for (let tt = list.length - 1; tt > t; tt--) { - this[_markVulnerable](list[tt]) + for (let tt = set.length - 1; tt > t; tt--) { + this[_markVulnerable](set[tt]) } } const headVuln = h === 0 ? origHeadVuln - : this.testVersion(list[h]) + : this.testVersion(set[h]) - const tailVuln = t === list.length - 1 ? origTailVuln - : this.testVersion(list[t]) + const tailVuln = t === set.length - 1 ? origTailVuln + : this.testVersion(set[t]) // if head and tail both vulnerable, whole list is thrown out if (headVuln && tailVuln) { for (let v = h; v < t; v++) { - this[_markVulnerable](list[v]) + this[_markVulnerable](set[v]) } continue } @@ -397,9 +399,9 @@ class Advisory { continue } - const mid = Math.floor(list.length / 2) - const pre = list.slice(0, mid) - const post = list.slice(mid) + const mid = Math.floor(set.length / 2) + const pre = set.slice(0, mid) + const post = set.slice(mid) // if the parent list wasn't prereleases, then drop pr tags // from end of the pre list, and beginning of the post list, diff --git a/node_modules/@npmcli/metavuln-calculator/package.json b/node_modules/@npmcli/metavuln-calculator/package.json index 6c05ee529..2c04e0fd4 100644 --- a/node_modules/@npmcli/metavuln-calculator/package.json +++ b/node_modules/@npmcli/metavuln-calculator/package.json @@ -1,13 +1,16 @@ { "name": "@npmcli/metavuln-calculator", - "version": "3.0.1", + "version": "3.1.0", "main": "lib/index.js", "files": [ - "bin", - "lib" + "bin/", + "lib/" ], "description": "Calculate meta-vulnerabilities from package security advisories", - "repository": "https://github.com/npm/metavuln-calculator", + "repository": { + "type": "git", + "url": "https://github.com/npm/metavuln-calculator.git" + }, "author": "GitHub Inc.", "license": "ISC", "scripts": { @@ -19,19 +22,20 @@ "postversion": "npm publish", "prepublishOnly": "git push origin --follow-tags", "eslint": "eslint", - "lint": "eslint '**/*.js'", + "lint": "eslint \"**/*.js\"", "lintfix": "npm run lint -- --fix", - "postlint": "npm-template-check", - "template-copy": "npm-template-copy --force" + "postlint": "template-oss-check", + "template-oss-apply": "template-oss-apply --force" }, "tap": { "check-coverage": true, "coverage-map": "map.js" }, "devDependencies": { - "@npmcli/template-oss": "^2.9.2", + "@npmcli/eslint-config": "^3.0.1", + "@npmcli/template-oss": "3.2.0", "require-inject": "^1.4.4", - "tap": "^15.1.6" + "tap": "^16.0.1" }, "dependencies": { "cacache": "^16.0.0", @@ -40,9 +44,10 @@ "semver": "^7.3.5" }, "engines": { - "node": "^12.13.0 || ^14.15.0 || >=16" + "node": "^12.13.0 || ^14.15.0 || >=16.0.0" }, "templateOSS": { - "version": "2.9.2" + "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", + "version": "3.2.0" } } |