Class: Brew::Vulns::Vulnerability

Inherits:

Object

• Object
• Brew::Vulns::Vulnerability

Defined in:

lib/brew/vulns/vulnerability.rb

Constant Summary

CVSS_TYPE_PRIORITY =

{
  "CVSS_V4" => 4,
  "CVSS_V3" => 3,
  "CVSS_V2" => 2
}.freeze

Instance Attribute Summary

• #affected ⇒ Object readonly

  Returns the value of attribute affected.

• #aliases ⇒ Object readonly

  Returns the value of attribute aliases.

• #details ⇒ Object readonly

  Returns the value of attribute details.

• #id ⇒ Object readonly

  Returns the value of attribute id.

• #references ⇒ Object readonly

  Returns the value of attribute references.

• #severity ⇒ Object readonly

  Returns the value of attribute severity.

• #summary ⇒ Object readonly

  Returns the value of attribute summary.

Class Method Summary

• .from_osv_list(vulns_data) ⇒ Object

Instance Method Summary

• #advisory_url ⇒ Object
• #affects_version?(version, default_ecosystem = "gem") ⇒ Boolean
• #build_constraint_sets(events) ⇒ Object
• #build_limit_constraint(limit) ⇒ Object
• #cve_ids ⇒ Object
• #cvss_severities(severities) ⇒ Object
• #extract_ecosystem(aff, default_ecosystem) ⇒ Object
• #extract_severity(data) ⇒ Object
• #fix_urls ⇒ Object
• #fixed_versions ⇒ Object
• #identifiers ⇒ Object
• #in_explicit_versions?(aff, version) ⇒ Boolean
• #in_semver_ranges?(aff, version, ecosystem) ⇒ Boolean
• #initialize(data) ⇒ Vulnerability constructor

  A new instance of Vulnerability.

• #normalize_severity(severity) ⇒ Object
• #normalize_version(version) ⇒ Object
• #severity_display ⇒ Object
• #severity_from_cvss(vector) ⇒ Object
• #severity_level ⇒ Object
• #version_in_range?(version, events, ecosystem) ⇒ Boolean

Constructor Details

#initialize(data) ⇒ Vulnerability

Returns a new instance of Vulnerability.

# File 'lib/brew/vulns/vulnerability.rb', line 18

def initialize(data)
  @id = data["id"]
  @summary = data["summary"]
  @details = data["details"]
  @aliases = data["aliases"] || []
  @references = data["references"] || []
  @affected = data["affected"] || []
  @severity = extract_severity(data)
end

Instance Attribute Details

#affected ⇒ Object (readonly)

Returns the value of attribute affected.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def affected
  @affected
end

#aliases ⇒ Object (readonly)

Returns the value of attribute aliases.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def aliases
  @aliases
end

#details ⇒ Object (readonly)

Returns the value of attribute details.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def details
  @details
end

#id ⇒ Object (readonly)

Returns the value of attribute id.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def id
  @id
end

#references ⇒ Object (readonly)

Returns the value of attribute references.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def references
  @references
end

#severity ⇒ Object (readonly)

Returns the value of attribute severity.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def severity
  @severity
end

#summary ⇒ Object (readonly)

Returns the value of attribute summary.

# File 'lib/brew/vulns/vulnerability.rb', line 16

def summary
  @summary
end

Class Method Details

.from_osv_list(vulns_data) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 84

def self.from_osv_list(vulns_data)
  vulns_data.map { |data| new(data) }
end

Instance Method Details

#advisory_url ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 50

def advisory_url
  ref = references.find { |r| r["type"] == "ADVISORY" }
  ref&.dig("url")
end

#affects_version?(version, default_ecosystem = "gem") ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brew/vulns/vulnerability.rb', line 71

def affects_version?(version, default_ecosystem = "gem")
  return true if affected.empty?

  normalized_version = normalize_version(version)

  affected.any? do |aff|
    ecosystem = extract_ecosystem(aff, default_ecosystem)

    in_explicit_versions?(aff, normalized_version) ||
      in_semver_ranges?(aff, normalized_version, ecosystem)
  end
end

#build_constraint_sets(events) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 180

def build_constraint_sets(events)
  constraint_sets = []
  constraints = nil

  events.each do |event|
    if event["introduced"]
      constraints = []
      intro = normalize_version(event["introduced"])
      constraints << ">=#{intro}" unless intro == "0"
    elsif event["fixed"]
      constraints ||= []
      constraints << "<#{normalize_version(event["fixed"])}"
      constraint_sets << constraints
      constraints = nil
    elsif event["last_affected"]
      constraints ||= []
      constraints << "<=#{normalize_version(event["last_affected"])}"
      constraint_sets << constraints
      constraints = nil
    elsif event["limit"]
      constraints ||= []
      limit_constraint = build_limit_constraint(event["limit"])
      constraints << limit_constraint if limit_constraint
      constraint_sets << constraints
      constraints = nil
    end
  end

  constraint_sets << constraints if constraints
  constraint_sets
end

#build_limit_constraint(limit) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 212

def build_limit_constraint(limit)
  limit = limit.to_s
  return if limit == "*"

  "<#{normalize_version(limit)}"
end

#cve_ids ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 46

def cve_ids
  identifiers.select { |a| a.start_with?("CVE-") }
end

#cvss_severities(severities) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 111

def cvss_severities(severities)
  severities
    .select { |sev| CVSS_TYPE_PRIORITY.key?(sev["type"]) }
    .sort_by { |sev| -CVSS_TYPE_PRIORITY.fetch(sev["type"], 0) }
end

#extract_ecosystem(aff, default_ecosystem) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 144

def extract_ecosystem(aff, default_ecosystem)
  purl_str = aff.dig("package", "purl")
  return default_ecosystem unless purl_str

  purl = Purl.parse(purl_str)
  purl.type
rescue StandardError => e
  warn "Warning: Failed to parse purl '#{purl_str}': #{e.message}"
  default_ecosystem
end

#extract_severity(data) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 88

def extract_severity(data)
  if data["severity"]&.any?
    cvss_severities(data["severity"]).each do |sev|
      cvss_severity = severity_from_cvss(sev["score"])
      return cvss_severity if cvss_severity
    end
  end

  if data.dig("database_specific", "severity")
    return normalize_severity(data.dig("database_specific", "severity"))
  end

  data["affected"]&.each do |aff|
    eco_sev = aff.dig("ecosystem_specific", "severity")
    return normalize_severity(eco_sev) if eco_sev

    db_sev = aff.dig("database_specific", "severity")
    return normalize_severity(db_sev) if db_sev
  end

  nil
end

#fix_urls ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 55

def fix_urls
  references.select { |r| r["type"] == "FIX" }.map { |r| r["url"] }
end

#fixed_versions ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 59

def fixed_versions
  versions = []
  affected.each do |aff|
    (aff["ranges"] || []).each do |range|
      (range["events"] || []).each do |event|
        versions << event["fixed"] if event["fixed"]
      end
    end
  end
  versions.uniq
end

#identifiers ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 42

def identifiers
  ([id] + aliases).compact
end

#in_explicit_versions?(aff, version) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brew/vulns/vulnerability.rb', line 155

def in_explicit_versions?(aff, version)
  versions = aff["versions"] || []
  versions.any? { |v| normalize_version(v) == version }
end

#in_semver_ranges?(aff, version, ecosystem) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brew/vulns/vulnerability.rb', line 160

def in_semver_ranges?(aff, version, ecosystem)
  ranges = aff["ranges"] || []
  semver_ranges = ranges.select { |r| r["type"] == "SEMVER" }

  semver_ranges.any? do |range|
    version_in_range?(version, range["events"], ecosystem)
  end
end

#normalize_severity(severity) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 117

def normalize_severity(severity)
  return nil unless severity

  case severity.downcase
  when "critical" then "critical"
  when "high" then "high"
  when "moderate", "medium" then "medium"
  when "low" then "low"
  end
end

#normalize_version(version) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 140

def normalize_version(version)
  version.sub(/^v/, "")
end

#severity_display ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 28

def severity_display
  severity&.upcase || "UNKNOWN"
end

#severity_from_cvss(vector) ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 128

def severity_from_cvss(vector)
  return nil if vector.to_s.empty?

  cvss = CvssSuite.new(vector)

  normalize_severity(cvss.severity)
rescue StandardError
  warn "Warning: Failed to determine severity from CVSS vector " \
       "'#{vector}' for '#{id}'"
  nil
end

#severity_level ⇒ Object

# File 'lib/brew/vulns/vulnerability.rb', line 32

def severity_level
  case severity&.downcase
  when "critical" then 4
  when "high" then 3
  when "medium" then 2
  when "low" then 1
  else 0
  end
end

#version_in_range?(version, events, ecosystem) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brew/vulns/vulnerability.rb', line 169

def version_in_range?(version, events, ecosystem)
  return false if events.nil? || events.empty?

  build_constraint_sets(events).any? do |constraints|
    constraints.empty? || Vers.satisfies?(version, constraints.join(","), ecosystem)
  end
rescue StandardError => e
  warn "Warning: Failed to check version '#{version}' against constraints: #{e.message}"
  true
end