Class: Dawn::Kb::UnsafeDependencyCheck

Inherits:

Object

• Object
• Dawn::Kb::UnsafeDependencyCheck

Includes:

BasicCheck

Defined in:

lib/dawn/kb/unsafe_depedency_check.rb

Overview

While working on the KB rebase, fetching data from NVD API, I suddenly realize I must change the way a vulnerable dependency must be handled. Instead of changing what is working right now, I’ll add a new dependency check ruby class NVD bulletins lists versions that are vulnerable and it would break automatism adding a post data fetching step to realize which is the first safe version.

This class will handle a dependency name, the version found in Gemfile.lock and an array of vulnerable versions. If the version found is in the array, than the vuln? method returns true. This is an approach far more easy rathern than the one chosen in the past.

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

• #dependencies ⇒ Object

  Returns the value of attribute dependencies.

• #vulnerable_version_array ⇒ Object

  Returns the value of attribute vulnerable_version_array.

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #please_ignore_dep_version, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary

• #initialize(options) ⇒ UnsafeDependencyCheck constructor

  A new instance of UnsafeDependencyCheck.

• #vuln? ⇒ Boolean

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Constructor Details

#initialize(options) ⇒ UnsafeDependencyCheck

Returns a new instance of UnsafeDependencyCheck.

# File 'lib/dawn/kb/unsafe_depedency_check.rb', line 21

def initialize(options)
  super(options)
end

Instance Attribute Details

#dependencies ⇒ Object

Returns the value of attribute dependencies.

# File 'lib/dawn/kb/unsafe_depedency_check.rb', line 18

def dependencies
  @dependencies
end

#vulnerable_version_array ⇒ Object

Returns the value of attribute vulnerable_version_array.

# File 'lib/dawn/kb/unsafe_depedency_check.rb', line 19

def vulnerable_version_array
  @vulnerable_version_array
end

Instance Method Details

#vuln? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dawn/kb/unsafe_depedency_check.rb', line 25

def vuln?
  ret = false

  # 20210325: I know... a single check handles a single dependency so,
  # this should not be an array. This involves too many underlying
  # changes one day I'll make.
  @dependencies.each do |dep|
    unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
      if dep[:name] == @vulnerable_version_array[0][:name]

        unless @vulnerable_version_array[0][:versionEndIncluding].nil?
          if (Gem::Version.new(dep[:version]) > Gem::Version.new(@vulnerable_version_array[0][:versionEndIncluding]))
            return false
          else
            return true
          end
        end

        unless @vulnerable_version_array[0][:versionEndExcluding].nil?
          if (Gem::Version.new(dep[:version]) >= Gem::Version.new(@vulnerable_version_array[0][:versionEndExcluding]))
            return false
          else
            return true
          end
        end
        return true   if @please_ignore_dep_version
        return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
        return true   if @vulnerable_version_array[0][:version].include? dep[:version]
      end
    end
  end

  return false
end