class Dawn::Kb::UnsafeDependencyCheck

While working on the KB rebase, fetching data from NVD API, I suddenly realize I must change the way a vulnerable dependency must be handled. Instead of changing what is working right now, I’ll add a new dependency check ruby class NVD bulletins lists versions that are vulnerable and it would break automatism adding a post data fetching step to realize which is the first safe version.

This class will handle a dependency name, the version found in Gemfile.lock and an array of vulnerable versions. If the version found is in the array, than the vuln? method returns true. This is an approach far more easy rathern than the one chosen in the past.

Attributes

dependencies[RW]
vulnerable_version_array[RW]

Public Class Methods

new(options) click to toggle source
Calls superclass method Dawn::Kb::BasicCheck::new
# File lib/dawn/kb/unsafe_depedency_check.rb, line 21
def initialize(options)
  super(options)
end

Public Instance Methods

vuln?() click to toggle source
# File lib/dawn/kb/unsafe_depedency_check.rb, line 25
def vuln?
  ret = false

  # 20210325: I know... a single check handles a single dependency so,
  # this should not be an array. This involves too many underlying
  # changes one day I'll make.
  @dependencies.each do |dep|
    unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
      if dep[:name] == @vulnerable_version_array[0][:name]

        unless @vulnerable_version_array[0][:versionEndIncluding].nil?
          if (Gem::Version.new(dep[:version]) > Gem::Version.new(@vulnerable_version_array[0][:versionEndIncluding]))
            return false
          else
            return true
          end
        end

        unless @vulnerable_version_array[0][:versionEndExcluding].nil?
          if (Gem::Version.new(dep[:version]) >= Gem::Version.new(@vulnerable_version_array[0][:versionEndExcluding]))
            return false
          else
            return true
          end
        end
        return true   if @please_ignore_dep_version
        return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
        return true   if @vulnerable_version_array[0][:version].include? dep[:version]
      end
    end
  end

  return false
end