Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add :vuln to npm query #7207

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion docs/lib/content/using-npm/dependency-selectors.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector
- Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata
- Consolidates redundant logic of similar query commands in `npm` (ex. `npm fund`, `npm ls`, `npm outdated`, `npm audit` ...)

### Dependency Selector Syntax `v1.0.0`
### Dependency Selector Syntax

#### Overview:

Expand Down Expand Up @@ -62,6 +62,7 @@ The [`npm query`](/commands/npm-query) command exposes a new dependency selector
- `:path(<path>)` [glob](https://www.npmjs.com/package/glob) matching based on dependencies path relative to the project
- `:type(<type>)` [based on currently recognized types](https://github.com/npm/npm-package-arg#result-object)
- `:outdated(<type>)` when a dependency is outdated
- `:vuln` when a dependency has a known vulnerability
wraithgar marked this conversation as resolved.
Show resolved Hide resolved

##### `:semver(<spec>, [selector], [function])`

Expand Down Expand Up @@ -101,6 +102,12 @@ Some examples:
- `:root > :outdated(major)` returns every direct dependency that has a new semver major release
- `.prod:outdated(in-range)` returns production dependencies that have a new release that satisfies at least one of its edges in

##### `:vuln`

The `:vuln` pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability. Only dependencies whose current version matches a vulnerability will be returned. For example if you have `[email protected]` in your tree, a vulnerability for `semver` which affects versions `<=6.3.1` will not match.

In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the `queryContext` attribute of each node under the `advisories` attribute.

#### [Attribute Selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors)

The attribute selector evaluates the key/value pairs in `package.json` if they are `String`s.
Expand Down
45 changes: 45 additions & 0 deletions workspaces/arborist/lib/query-selector-all.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ const { minimatch } = require('minimatch')
const npa = require('npm-package-arg')
const pacote = require('pacote')
const semver = require('semver')
const fetch = require('npm-registry-fetch')

// handle results for parsed query asts, results are stored in a map that has a
// key that points to each ast selector node and stores the resulting array of
Expand Down Expand Up @@ -432,6 +433,45 @@ class Results {
return this.initialItems.filter(node => node.target.edgesIn.size > 1)
}

async vulnPseudo () {
if (!this.initialItems.length) {
return this.initialItems
}
const packages = {}
// We have to map the items twice, once to get the request, and a second time to filter off the results of that request
this.initialItems.map((node) => {
if (node.isProjectRoot || node.package.private) {
return
}
if (!packages[node.name]) {
packages[node.name] = []
}
if (!packages[node.name].includes(node.version)) {
packages[node.name].push(node.version)
}
})
const res = await fetch('/-/npm/v1/security/advisories/bulk', {
...this.flatOptions,
registry: this.flatOptions.auditRegistry || this.flatOptions.registry,
method: 'POST',
gzip: true,
body: packages,
})
const advisories = await res.json()
return this.initialItems.filter(item => {
const vulnerable = advisories[item.name]?.filter(advisory =>
semver.intersects(advisory.vulnerable_versions, item.version)
)
if (vulnerable?.length) {
item.queryContext = {
advisories: vulnerable,
}
return true
}
return false
})
}

async outdatedPseudo () {
const { outdatedKind = 'any' } = this.currentAstNode

Expand All @@ -445,6 +485,11 @@ class Results {
return false
}

// private packages can't be published, skip them
if (node.package.private) {
return false
}

// we cache the promise representing the full versions list, this helps reduce the
// number of requests we send by keeping population of the cache in a single tick
// making it less likely that multiple requests for the same package will be inflight
Expand Down
10 changes: 10 additions & 0 deletions workspaces/arborist/test/query-selector-all.js
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,12 @@ t.test('query-selector-all', async t => {
nock.enableNetConnect()
})

nock('https://registry.npmjs.org')
.post('/-/npm/v1/security/advisories/bulk')
.reply(200, {
foo: [{ id: 'test-vuln', vulnerable_versions: '*' }],
moo: [{ id: 'test-vuln', vulnerable_versions: '<1.0.0' }],
})
for (const [pkg, versions] of Object.entries(packumentStubs)) {
nock('https://registry.npmjs.org')
.persist()
Expand Down Expand Up @@ -842,6 +848,10 @@ t.test('query-selector-all', async t => {
], { before: yesterday }],
[':outdated(nonsense)', [], { before: yesterday }], // again, no results here ever

// vuln pseudo
[':vuln', ['[email protected]']],
['#nomatch:vuln', []], // no network requests are made if the result set is empty

// attr pseudo
[':attr([name=dasher])', ['[email protected]']],
[':attr(dependencies, [bar="^1.0.0"])', ['[email protected]']],
Expand Down
Loading