Class: Yarn::Audit::Wrap::Main

Inherits:
Object
  • Object
show all
Defined in:
lib/yarn/audit/wrap.rb

Instance Method Summary collapse

Constructor Details

#initialize(args) ⇒ Main

Initialize the main loop

In that case, the defaults will be used.

Parameters:

  • args

    list [Strings] ARGV, can be an empty array, if no options were passed in.



46
47
48
49
50
51
52
# File 'lib/yarn/audit/wrap.rb', line 46

def initialize args
  @opts = OptParser.new(args)
rescue FileNotFoundError
  err "File not found"
rescue MissingOptionValueError
  err "Missing value for option #{$!}"
end

Instance Method Details

#err(str) ⇒ Object



31
32
33
34
35
# File 'lib/yarn/audit/wrap.rb', line 31

def err str
  # While I like the idea of standardrb, its recommendation in this case is absolute garbage.
  # Errors should always go to stderr, not warn.
  $stderr.send(:puts, str)
end

#handle_advisories(advisories:, summary:, opts:) ⇒ Object



90
91
92
93
94
95
96
97
98
99
100
# File 'lib/yarn/audit/wrap.rb', line 90

def handle_advisories(advisories:, summary:, opts:)
  # print if any, return proper exit code
  if advisories && advisories.size > 0
    warn "yarn-audit: #{advisories.size} flagged packages"
    exit 1
  else
    warn "yarn-audit: No advisories flagged."
    warn summary.inspect
    exit 0
  end
end

#process(audit_output:, config:, opts:) ⇒ Object



74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# File 'lib/yarn/audit/wrap.rb', line 74

def process(audit_output:, config:, opts:)
  levels = opts[:audit_levels]
  used = []

  audit_output.select do |item|
    if levels.include?(item["data"]["advisory"]["severity"]) &&
        use_advisory?(advisory: item, config: config)
      used << item
    else
      audit_output.add_ignored type: item["data"]["advisory"]["severity"], val: item
    end
  end

  used
end

#runObject



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/yarn/audit/wrap.rb', line 54

def run
  # generates a tmp/yarn-audit.json by default.  Change @opts to rename/move output file.
  cmd = YarnCommand.new(opts: @opts) unless @opts[:skip_audit_gen]
  raise YarnAuditRuntimeError if !cmd
  cmd.run

  # parse output of yarn audit and store
  audit_output = AuditParser.new(opts: @opts)

  # load config, such as ignorelists
  config = Config.new(opts: @opts)

  # check and return results
  rv = process audit_output: audit_output, config: config, opts: @opts

  audit_output.print_summary

  rv.size # number of vulnerabilities.  0 is shell for success, non-zero is failure!
end

#use_advisory?(advisory:, config:) ⇒ Boolean

advisory is a single line from yarn audit –json output config is a set of all the ignore directives. Find if the advisory is included in the ignore list, and if so see if the values match and if the optional until: date is set. If the Date is present and past, use the advisory, otherwise ignore it until the date is past.

Returns:

  • (Boolean)


106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# File 'lib/yarn/audit/wrap.rb', line 106

def use_advisory?(advisory:, config:)
  config.ignores.detect do |ignore_item|
    found = (ignore_item.keys - [:until]).all? do |key|
      (advisory["data"]["advisory"][key] == ignore_item[key])
    end
    if found
      record = advisory["data"]["advisory"]
      if ignore_item[:until]&.past?
        warn "Found expired vulnerability.  Using advisory \"#{record["title"]}\""
      else
        warn "Actively ignoring.  \"#{record["title"]}\""
        return false
      end
    else
      warn "not found"
      return true
    end
  end
  true
end

#warn(str) ⇒ Object



37
38
39
# File 'lib/yarn/audit/wrap.rb', line 37

def warn str
  $stdout.puts str
end