Class: Bundler::Audit::Advisory

Inherits:
Struct
  • Object
show all
Defined in:
lib/bundler/audit/advisory.rb

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#cveObject

Returns the value of attribute cve

Returns:

  • (Object)

    the current value of cve


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def cve
  @cve
end

#cvss_v2Object

Returns the value of attribute cvss_v2

Returns:

  • (Object)

    the current value of cvss_v2


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def cvss_v2
  @cvss_v2
end

#cvss_v3Object

Returns the value of attribute cvss_v3

Returns:

  • (Object)

    the current value of cvss_v3


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def cvss_v3
  @cvss_v3
end

#dateObject

Returns the value of attribute date

Returns:

  • (Object)

    the current value of date


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def date
  @date
end

#descriptionObject

Returns the value of attribute description

Returns:

  • (Object)

    the current value of description


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def description
  @description
end

#ghsaObject

Returns the value of attribute ghsa

Returns:

  • (Object)

    the current value of ghsa


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def ghsa
  @ghsa
end

#idObject Also known as: to_s

Returns the value of attribute id

Returns:

  • (Object)

    the current value of id


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def id
  @id
end

#osvdbObject

Returns the value of attribute osvdb

Returns:

  • (Object)

    the current value of osvdb


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def osvdb
  @osvdb
end

#patched_versionsObject

Returns the value of attribute patched_versions

Returns:

  • (Object)

    the current value of patched_versions


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def patched_versions
  @patched_versions
end

#pathObject

Returns the value of attribute path

Returns:

  • (Object)

    the current value of path


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def path
  @path
end

#titleObject

Returns the value of attribute title

Returns:

  • (Object)

    the current value of title


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def title
  @title
end

#unaffected_versionsObject

Returns the value of attribute unaffected_versions

Returns:

  • (Object)

    the current value of unaffected_versions


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def unaffected_versions
  @unaffected_versions
end

#urlObject

Returns the value of attribute url

Returns:

  • (Object)

    the current value of url


22
23
24
# File 'lib/bundler/audit/advisory.rb', line 22

def url
  @url
end

Class Method Details

.load(path) ⇒ Advisory

Loads the advisory from a YAML file.

Parameters:

  • path (String)

    The path to the advisory YAML file.

Returns:


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/bundler/audit/advisory.rb', line 46

def self.load(path)
  id   = File.basename(path).chomp('.yml')
  data = YAML.load_file(path)

  unless data.kind_of?(Hash)
    raise("advisory data in #{path.dump} was not a Hash")
  end

  parse_versions = lambda { |versions|
    Array(versions).map do |version|
      Gem::Requirement.new(*version.split(', '))
    end
  }

  return new(
    path,
    id,
    data['url'],
    data['title'],
    data['date'],
    data['description'],
    data['cvss_v2'],
    data['cvss_v3'],
    data['cve'],
    data['osvdb'],
    data['ghsa'],
    parse_versions[data['unaffected_versions']],
    parse_versions[data['patched_versions']]
  )
end

Instance Method Details

#criticality:none, ...

Determines how critical the vulnerability is.

Returns:

  • (:none, :low, :medium, :high, :critical)

    The criticality of the vulnerability based on the CVSS score.


127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# File 'lib/bundler/audit/advisory.rb', line 127

def criticality
  if cvss_v3
    case cvss_v3
    when 0.0       then :none
    when 0.1..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..8.9  then :high
    when 9.0..10.0 then :critical
    end
  elsif cvss_v2
    case cvss_v2
    when 0.0..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..10.0 then :high
    end
  end
end

#cve_idString?

The CVE identifier.

Returns:

  • (String, nil)

82
83
84
# File 'lib/bundler/audit/advisory.rb', line 82

def cve_id
  "CVE-#{cve}" if cve
end

#ghsa_idString?

The GHSA (GitHub Security Advisory) identifier

Returns:

  • (String, nil)

Since:

  • 0.7.0


102
103
104
# File 'lib/bundler/audit/advisory.rb', line 102

def ghsa_id
  "GHSA-#{ghsa}" if ghsa
end

#identifiersArray<String>

Return a compacted list of all ids

Returns:

  • (Array<String>)

Since:

  • 0.7.0


113
114
115
116
117
118
119
# File 'lib/bundler/audit/advisory.rb', line 113

def identifiers
  [
    cve_id,
    osvdb_id,
    ghsa_id
  ].compact
end

#osvdb_idString?

The OSVDB identifier.

Returns:

  • (String, nil)

91
92
93
# File 'lib/bundler/audit/advisory.rb', line 91

def osvdb_id
  "OSVDB-#{osvdb}" if osvdb
end

#patched?(version) ⇒ Boolean

Checks whether the version is patched against the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is patched against the advisory.

Since:

  • 0.2.0


173
174
175
176
177
# File 'lib/bundler/audit/advisory.rb', line 173

def patched?(version)
  patched_versions.any? do |patched_version|
    patched_version === version
  end
end

#unaffected?(version) ⇒ Boolean

Checks whether the version is not affected by the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is not affected by the advisory.

Since:

  • 0.2.0


156
157
158
159
160
# File 'lib/bundler/audit/advisory.rb', line 156

def unaffected?(version)
  unaffected_versions.any? do |unaffected_version|
    unaffected_version === version
  end
end

#vulnerable?(version) ⇒ Boolean

Checks whether the version is vulnerable to the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is vulnerable to the advisory or not.


188
189
190
# File 'lib/bundler/audit/advisory.rb', line 188

def vulnerable?(version)
  !patched?(version) && !unaffected?(version)
end