class YAVDB::Sources::NPMJS::Client

Constants

API_URL

Public Class Methods

advisories() click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 31
def self.advisories
  packages = fetch_packages_recursive(0)
  parse_vulnerabilities(packages)
end

Private Class Methods

create(package) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 63
def create(package)
  published_date = Date.strptime(package['created'], '%s')
  updated_date   = Date.strptime(package['updated'], '%s')

  cves = package['cves'] || []

  versions = [package['vulnerable_versions']]
  versions = ['*'] unless versions.any?

  vuln_id = "npmjs:npm:#{package['module_name']}:#{package['id']}"

  YAVDB::Advisory.new(
    vuln_id,
    package['title'],
    package['overview'],
    package['module_name'],
    versions,
    nil, #:unaffected_versions
    nil, #:patched_versions
    parse_severity(package['severity']),
    'npm',
    cves,
    package['cwe'],
    nil, #:osvdb
    nil, #:cvss_v2_vector
    nil, #:cvss_v2_score
    nil, #:cvss_v3_vector
    nil, #:cvss_v3_score
    published_date,
    published_date,
    updated_date,
    package['found_by']['name'],
    package['url'],
    package['url']
  )
end
fetch_packages_recursive(page_number) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 40
def fetch_packages_recursive(page_number)
  page = get_page_html(get_page_url(page_number), false, 'npmjs/feed')

  script_tag    = page.css('script').find { |script| script.text.include?('window.__context__') }.text
  context       = ExecJS.compile("var window = {};\n#{script_tag.force_encoding('utf-8')};")
  advisory_data = context.exec('return window.__context__.context.advisoriesData')

  packages = advisory_data['objects']

  next_url      = advisory_data['urls']['next']
  next_packages = if next_url && !next_url&.include?("page=#{page_number}")
                    fetch_packages_recursive(page_number + 1)
                  else
                    []
                  end

  packages.concat(next_packages)
end
get_page_html(source_url, with_cache, group_cache_key) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 100
def get_page_html(source_url, with_cache, group_cache_key)
  body_lines = YAVDB::Utils::HTTP.get_page_contents(source_url, with_cache, group_cache_key)
  Oga.parse_html(body_lines, :strict => true)
end
get_page_url(page) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 105
def get_page_url(page)
  "#{API_URL}/advisories?page=#{page}&perPage=100&order=-id"
end
parse_severity(severity) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 109
def parse_severity(severity)
  case severity
    when 'low'
      'low'
    when 'moderate'
      'medium'
    when 'high'
      'high'
    when 'critical'
      'high'
    else
      'high'
  end
end
parse_vulnerabilities(packages) click to toggle source
# File lib/yavdb/sources/npmjs.rb, line 59
def parse_vulnerabilities(packages)
  packages.map { |package| create(package) }.flatten
end