Class: Bundler::Audit::Advisory

Inherits:

Struct

• Object
• Struct
• Bundler::Audit::Advisory

Defined in:

lib/bundler/audit/advisory.rb

Overview

Represents an advisory loaded from the Database.

Instance Attribute Summary

• #cve ⇒ Object

  Returns the value of attribute cve.

• #cvss_v2 ⇒ Object

  Returns the value of attribute cvss_v2.

• #cvss_v3 ⇒ Object

  Returns the value of attribute cvss_v3.

• #date ⇒ Object

  Returns the value of attribute date.

• #description ⇒ Object

  Returns the value of attribute description.

• #ghsa ⇒ Object

  Returns the value of attribute ghsa.

• #id ⇒ Object (also: #to_s)

  Returns the value of attribute id.

• #osvdb ⇒ Object

  Returns the value of attribute osvdb.

• #patched_versions ⇒ Object

  Returns the value of attribute patched_versions.

• #path ⇒ Object

  Returns the value of attribute path.

• #title ⇒ Object

  Returns the value of attribute title.

• #unaffected_versions ⇒ Object

  Returns the value of attribute unaffected_versions.

• #url ⇒ Object

  Returns the value of attribute url.

Class Method Summary

• .load(path) ⇒ Advisory

  Loads the advisory from a YAML file.

Instance Method Summary

• #==(other) ⇒ Boolean

  Compares two advisories.

• #criticality ⇒ :none, ...

  Determines how critical the vulnerability is.

• #cve_id ⇒ String^?

  The CVE identifier.

• #ghsa_id ⇒ String^?

  The GHSA (GitHub Security Advisory) identifier.

• #identifiers ⇒ Array<String>

  Return a compacted list of all ids.

• #osvdb_id ⇒ String^?

  The OSVDB identifier.

• #patched?(version) ⇒ Boolean

  Checks whether the version is patched against the advisory.

• #to_h ⇒ Hash{Symbol => Object}

  Converts the advisory to a Hash.

• #unaffected?(version) ⇒ Boolean

  Checks whether the version is not affected by the advisory.

• #vulnerable?(version) ⇒ Boolean

  Checks whether the version is vulnerable to the advisory.

Instance Attribute Details

#cve ⇒ Object

Returns the value of attribute cve

Returns:

• (Object) —

  the current value of cve

# File 'lib/bundler/audit/advisory.rb', line 25

def cve
  @cve
end

#cvss_v2 ⇒ Object

Returns the value of attribute cvss_v2

Returns:

• (Object) —

  the current value of cvss_v2

# File 'lib/bundler/audit/advisory.rb', line 25

def cvss_v2
  @cvss_v2
end

#cvss_v3 ⇒ Object

Returns the value of attribute cvss_v3

Returns:

• (Object) —

  the current value of cvss_v3

# File 'lib/bundler/audit/advisory.rb', line 25

def cvss_v3
  @cvss_v3
end

#date ⇒ Object

Returns the value of attribute date

Returns:

• (Object) —

  the current value of date

# File 'lib/bundler/audit/advisory.rb', line 25

def date
  @date
end

#description ⇒ Object

Returns the value of attribute description

Returns:

• (Object) —

  the current value of description

# File 'lib/bundler/audit/advisory.rb', line 25

def description
  @description
end

#ghsa ⇒ Object

Returns the value of attribute ghsa

Returns:

• (Object) —

  the current value of ghsa

# File 'lib/bundler/audit/advisory.rb', line 25

def ghsa
  @ghsa
end

#id ⇒ Object Also known as: to_s

Returns the value of attribute id

Returns:

• (Object) —

  the current value of id

# File 'lib/bundler/audit/advisory.rb', line 25

def id
  @id
end

#osvdb ⇒ Object

Returns the value of attribute osvdb

Returns:

• (Object) —

  the current value of osvdb

# File 'lib/bundler/audit/advisory.rb', line 25

def osvdb
  @osvdb
end

#patched_versions ⇒ Object

Returns the value of attribute patched_versions

Returns:

• (Object) —

  the current value of patched_versions

# File 'lib/bundler/audit/advisory.rb', line 25

def patched_versions
  @patched_versions
end

#path ⇒ Object

Returns the value of attribute path

Returns:

• (Object) —

  the current value of path

# File 'lib/bundler/audit/advisory.rb', line 25

def path
  @path
end

#title ⇒ Object

Returns the value of attribute title

Returns:

• (Object) —

  the current value of title

# File 'lib/bundler/audit/advisory.rb', line 25

def title
  @title
end

#unaffected_versions ⇒ Object

Returns the value of attribute unaffected_versions

Returns:

• (Object) —

  the current value of unaffected_versions

# File 'lib/bundler/audit/advisory.rb', line 25

def unaffected_versions
  @unaffected_versions
end

#url ⇒ Object

Returns the value of attribute url

Returns:

• (Object) —

  the current value of url

# File 'lib/bundler/audit/advisory.rb', line 25

def url
  @url
end

Class Method Details

.load(path) ⇒ Advisory

Loads the advisory from a YAML file.

Parameters:

• path (String) —

  The path to the advisory YAML file.

Returns:

• (Advisory)

# File 'lib/bundler/audit/advisory.rb', line 49

def self.load(path)
  id   = File.basename(path).chomp('.yml')
  data = File.open(path) do |yaml|
           if Psych::VERSION >= '3.1.0'
             YAML.safe_load(yaml, permitted_classes: [Date])
           else
             # XXX: psych < 3.1.0 YAML.safe_load calling convention
             YAML.safe_load(yaml, [Date])
           end
         end

  unless data.kind_of?(Hash)
    raise("advisory data in #{path.dump} was not a Hash")
  end

  parse_versions = lambda { |versions|
    Array(versions).map do |version|
      Gem::Requirement.new(*version.split(', '))
    end
  }

  return new(
    path,
    id,
    data['url'],
    data['title'],
    data['date'],
    data['description'],
    data['cvss_v2'],
    data['cvss_v3'],
    data['cve'],
    data['osvdb'],
    data['ghsa'],
    parse_versions[data['unaffected_versions']],
    parse_versions[data['patched_versions']]
  )
end

Instance Method Details

#==(other) ⇒ Boolean

Compares two advisories.

Parameters:

• other (Advisory)

Returns:

• (Boolean)

# File 'lib/bundler/audit/advisory.rb', line 209

def ==(other)
  id == other.id
end

#criticality ⇒ :none, ...

Determines how critical the vulnerability is.

Returns:

• (:none, :low, :medium, :high, :critical, nil) —

  The criticality of the vulnerability based on the CVSS score.

# File 'lib/bundler/audit/advisory.rb', line 137

def criticality
  if cvss_v3
    case cvss_v3
    when 0.0       then :none
    when 0.1..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..8.9  then :high
    when 9.0..10.0 then :critical
    end
  elsif cvss_v2
    case cvss_v2
    when 0.0..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..10.0 then :high
    end
  end
end

#cve_id ⇒ String^?

The CVE identifier.

Returns:

• (String, nil)

# File 'lib/bundler/audit/advisory.rb', line 92

def cve_id
  "CVE-#{cve}" if cve
end

#ghsa_id ⇒ String^?

The GHSA (GitHub Security Advisory) identifier

Returns:

• (String, nil)

Since:

• 0.7.0

# File 'lib/bundler/audit/advisory.rb', line 112

def ghsa_id
  "GHSA-#{ghsa}" if ghsa
end

#identifiers ⇒ Array<String>

Return a compacted list of all ids

Returns:

• (Array<String>)

Since:

• 0.7.0

# File 'lib/bundler/audit/advisory.rb', line 123

def identifiers
  [
    cve_id,
    osvdb_id,
    ghsa_id
  ].compact
end

#osvdb_id ⇒ String^?

The OSVDB identifier.

Returns:

• (String, nil)

# File 'lib/bundler/audit/advisory.rb', line 101

def osvdb_id
  "OSVDB-#{osvdb}" if osvdb
end

#patched?(version) ⇒ Boolean

Checks whether the version is patched against the advisory.

Parameters:

• version (Gem::Version) —

  The version to compare against #patched_versions.

Returns:

• (Boolean) —

  Specifies whether the version is patched against the advisory.

Since:

• 0.2.0

# File 'lib/bundler/audit/advisory.rb', line 183

def patched?(version)
  patched_versions.any? do |patched_version|
    patched_version === version
  end
end

#to_h ⇒ Hash{Symbol => Object}

Converts the advisory to a Hash.

Returns:

• (Hash{Symbol => Object})

# File 'lib/bundler/audit/advisory.rb', line 218

def to_h
  super.merge({
    criticality: criticality
  })
end

#unaffected?(version) ⇒ Boolean

Checks whether the version is not affected by the advisory.

Parameters:

• version (Gem::Version) —

  The version to compare against #unaffected_versions.

Returns:

• (Boolean) —

  Specifies whether the version is not affected by the advisory.

Since:

• 0.2.0

# File 'lib/bundler/audit/advisory.rb', line 166

def unaffected?(version)
  unaffected_versions.any? do |unaffected_version|
    unaffected_version === version
  end
end

#vulnerable?(version) ⇒ Boolean

Checks whether the version is vulnerable to the advisory.

Parameters:

• version (Gem::Version) —

  The version to compare against #patched_versions.

Returns:

• (Boolean) —

  Specifies whether the version is vulnerable to the advisory or not.

# File 'lib/bundler/audit/advisory.rb', line 198

def vulnerable?(version)
  !patched?(version) && !unaffected?(version)
end