-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(query): add :vuln pseudo selector
- Loading branch information
Showing
3 changed files
with
109 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,7 +13,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector | |
- Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata | ||
- Consolidates redundant logic of similar query commands in `npm` (ex. `npm fund`, `npm ls`, `npm outdated`, `npm audit` ...) | ||
|
||
### Dependency Selector Syntax `v1.0.0` | ||
### Dependency Selector Syntax | ||
|
||
#### Overview: | ||
|
||
|
@@ -62,6 +62,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector | |
- `:path(<path>)` [glob](https://www.npmjs.com/package/glob) matching based on dependencies path relative to the project | ||
- `:type(<type>)` [based on currently recognized types](https://github.com/npm/npm-package-arg#result-object) | ||
- `:outdated(<type>)` when a dependency is outdated | ||
- `:vuln(<selector>)` when a dependency has a known vulnerability | ||
|
||
##### `:semver(<spec>, [selector], [function])` | ||
|
||
|
@@ -101,6 +102,21 @@ Some examples: | |
- `:root > :outdated(major)` returns every direct dependency that has a new semver major release | ||
- `.prod:outdated(in-range)` returns production dependencies that have a new release that satisfies at least one of its parent's dependencies | ||
|
||
##### `:vuln` | ||
|
||
The `:vuln` pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability. Only dependencies whose current version matches a vulnerability will be returned. For example if you have `[email protected]` in your tree, a vulnerability for `semver` which affects versions `<=6.3.1` will not match. | ||
|
||
You can also filter results by certain attributes in advisories. Currently that includes `severity` and `cwe`. Note that severity filtering is done per severity, it does not include severities "higher" or "lower" than the one specified. | ||
|
||
In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the `queryContext` attribute of each node under the `advisories` attribute. | ||
|
||
Some examples: | ||
|
||
- `:root > .prod:vuln` returns direct production dependencies with any known vulnerability | ||
- `:vuln([severity=high])` returns only dependencies with a vulnerability with a `high` severity. | ||
- `:vuln([severity=high],[severity=moderate])` returns only dependencies with a vulnerability with a `high` or `moderate` severity. | ||
- `:vuln([cwe=1333])` returns only dependencies with a vulnerability that includes CWE-1333 (ReDoS) | ||
|
||
#### [Attribute Selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors) | ||
|
||
The attribute selector evaluates the key/value pairs in `package.json` if they are `String`s. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -99,6 +99,14 @@ t.test('query-selector-all', async t => { | |
nock.enableNetConnect() | ||
}) | ||
|
||
nock('https://registry.npmjs.org') | ||
.persist() | ||
.post('/-/npm/v1/security/advisories/bulk') | ||
.reply(200, { | ||
foo: [{ id: 'test-vuln', vulnerable_versions: '*', severity: 'high', cwe: [] }], | ||
sive: [{ id: 'test-vuln', vulnerable_versions: '*', severity: 'low', cwe: ['CWE-123'] }], | ||
moo: [{ id: 'test-vuln', vulnerable_versions: '<1.0.0' }], | ||
}) | ||
for (const [pkg, versions] of Object.entries(packumentStubs)) { | ||
nock('https://registry.npmjs.org') | ||
.persist() | ||
|
@@ -842,6 +850,15 @@ t.test('query-selector-all', async t => { | |
], { before: yesterday }], | ||
[':outdated(nonsense)', [], { before: yesterday }], // again, no results here ever | ||
|
||
// vuln pseudo | ||
[':vuln', ['[email protected]', '[email protected]']], | ||
[':vuln([severity=high])', ['[email protected]']], | ||
[':vuln:not(:vuln([cwe=123]))', ['[email protected]']], | ||
[':vuln([cwe])', ['[email protected]']], | ||
[':vuln([cwe=123])', ['[email protected]']], | ||
[':vuln([severity=critical])', []], | ||
['#nomatch:vuln', []], // no network requests are made if the result set is empty | ||
|
||
// attr pseudo | ||
[':attr([name=dasher])', ['[email protected]']], | ||
[':attr(dependencies, [bar="^1.0.0"])', ['[email protected]']], | ||
|