Class: Bundler::Audit::Advisory

Inherits:
Struct
  • Object
show all
Defined in:
lib/bundler/audit/advisory.rb

Overview

Represents an advisory loaded from the Database.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#cveObject

Returns the value of attribute cve

Returns:

  • (Object)

    the current value of cve



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def cve
  @cve
end

#cvss_v2Object

Returns the value of attribute cvss_v2

Returns:

  • (Object)

    the current value of cvss_v2



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def cvss_v2
  @cvss_v2
end

#cvss_v3Object

Returns the value of attribute cvss_v3

Returns:

  • (Object)

    the current value of cvss_v3



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def cvss_v3
  @cvss_v3
end

#dateObject

Returns the value of attribute date

Returns:

  • (Object)

    the current value of date



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def date
  @date
end

#descriptionObject

Returns the value of attribute description

Returns:

  • (Object)

    the current value of description



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def description
  @description
end

#ghsaObject

Returns the value of attribute ghsa

Returns:

  • (Object)

    the current value of ghsa



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def ghsa
  @ghsa
end

#idObject Also known as: to_s

Returns the value of attribute id

Returns:

  • (Object)

    the current value of id



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def id
  @id
end

#osvdbObject

Returns the value of attribute osvdb

Returns:

  • (Object)

    the current value of osvdb



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def osvdb
  @osvdb
end

#patched_versionsObject

Returns the value of attribute patched_versions

Returns:

  • (Object)

    the current value of patched_versions



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def patched_versions
  @patched_versions
end

#pathObject

Returns the value of attribute path

Returns:

  • (Object)

    the current value of path



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def path
  @path
end

#titleObject

Returns the value of attribute title

Returns:

  • (Object)

    the current value of title



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def title
  @title
end

#unaffected_versionsObject

Returns the value of attribute unaffected_versions

Returns:

  • (Object)

    the current value of unaffected_versions



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def unaffected_versions
  @unaffected_versions
end

#urlObject

Returns the value of attribute url

Returns:

  • (Object)

    the current value of url



26
27
28
# File 'lib/bundler/audit/advisory.rb', line 26

def url
  @url
end

Class Method Details

.load(path) ⇒ Advisory

Loads the advisory from a YAML file.

Parameters:

  • path (String)

    The path to the advisory YAML file.

Returns:



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'lib/bundler/audit/advisory.rb', line 50

def self.load(path)
  id   = File.basename(path).chomp('.yml')
  data = File.open(path) do |yaml|
           if Psych::VERSION >= '3.1.0'
             YAML.safe_load(yaml, permitted_classes: [Date])
           else
             # XXX: psych < 3.1.0 YAML.safe_load calling convention
             YAML.safe_load(yaml, [Date])
           end
         end

  unless data.kind_of?(Hash)
    raise("advisory data in #{path.dump} was not a Hash")
  end

  parse_versions = lambda { |versions|
    Array(versions).map do |version|
      Gem::Requirement.new(*version.split(', '))
    end
  }

  return new(
    path,
    id,
    data['url'],
    data['title'],
    data['date'],
    data['description'],
    data['cvss_v2'],
    data['cvss_v3'],
    data['cve'],
    data['osvdb'],
    data['ghsa'],
    parse_versions[data['unaffected_versions']],
    parse_versions[data['patched_versions']]
  )
end

Instance Method Details

#==(other) ⇒ Boolean

Compares two advisories.

Parameters:

Returns:

  • (Boolean)


210
211
212
# File 'lib/bundler/audit/advisory.rb', line 210

def ==(other)
  id == other.id
end

#criticality:none, ...

Determines how critical the vulnerability is.

Returns:

  • (:none, :low, :medium, :high, :critical, nil)

    The criticality of the vulnerability based on the CVSS score.



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# File 'lib/bundler/audit/advisory.rb', line 138

def criticality
  if cvss_v3
    case cvss_v3
    when 0.0       then :none
    when 0.1..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..8.9  then :high
    when 9.0..10.0 then :critical
    end
  elsif cvss_v2
    case cvss_v2
    when 0.0..3.9  then :low
    when 4.0..6.9  then :medium
    when 7.0..10.0 then :high
    end
  end
end

#cve_idString?

The CVE identifier.

Returns:

  • (String, nil)


93
94
95
# File 'lib/bundler/audit/advisory.rb', line 93

def cve_id
  "CVE-#{cve}" if cve
end

#ghsa_idString?

The GHSA (GitHub Security Advisory) identifier

Returns:

  • (String, nil)

Since:

  • 0.7.0



113
114
115
# File 'lib/bundler/audit/advisory.rb', line 113

def ghsa_id
  "GHSA-#{ghsa}" if ghsa
end

#identifiersArray<String>

Return a compacted list of all ids

Returns:

  • (Array<String>)

Since:

  • 0.7.0



124
125
126
127
128
129
130
# File 'lib/bundler/audit/advisory.rb', line 124

def identifiers
  [
    cve_id,
    osvdb_id,
    ghsa_id
  ].compact
end

#osvdb_idString?

The OSVDB identifier.

Returns:

  • (String, nil)


102
103
104
# File 'lib/bundler/audit/advisory.rb', line 102

def osvdb_id
  "OSVDB-#{osvdb}" if osvdb
end

#patched?(version) ⇒ Boolean

Checks whether the version is patched against the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is patched against the advisory.

Since:

  • 0.2.0



184
185
186
187
188
# File 'lib/bundler/audit/advisory.rb', line 184

def patched?(version)
  patched_versions.any? do |patched_version|
    patched_version === version
  end
end

#to_hHash{Symbol => Object}

Converts the advisory to a Hash.

Returns:

  • (Hash{Symbol => Object})


219
220
221
222
223
# File 'lib/bundler/audit/advisory.rb', line 219

def to_h
  super.merge({
    criticality: criticality
  })
end

#unaffected?(version) ⇒ Boolean

Checks whether the version is not affected by the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is not affected by the advisory.

Since:

  • 0.2.0



167
168
169
170
171
# File 'lib/bundler/audit/advisory.rb', line 167

def unaffected?(version)
  unaffected_versions.any? do |unaffected_version|
    unaffected_version === version
  end
end

#vulnerable?(version) ⇒ Boolean

Checks whether the version is vulnerable to the advisory.

Parameters:

Returns:

  • (Boolean)

    Specifies whether the version is vulnerable to the advisory or not.



199
200
201
# File 'lib/bundler/audit/advisory.rb', line 199

def vulnerable?(version)
  !patched?(version) && !unaffected?(version)
end