Class: Homebrew::Vulns::Scanner Private
This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.
Defined Under Namespace
Class Method Summary collapse
- .repo_url(*urls) ⇒ String? private
- .resolved_ids(serialized_patches) ⇒ Array<String> private
- .source_from_sbom(prefix) ⇒ Array<([String, nil], [String, nil])>? private
- .tag(url) ⇒ String? private
Instance Method Summary collapse
- #build_target(formula) ⇒ Target? private
- #fetch_vulnerabilities(ids) ⇒ Array<Vulnerability> private
- #initialize(formulae, ignore_patches: true, min_severity: nil) ⇒ void constructor private
- #partition_patched(formula, target, vulns) ⇒ Array<(Array<Vulnerability>, Array<Vulnerability>)> private
- #scan ⇒ Results private
- #stale_target?(formula) ⇒ Boolean private
- #target_for(formula) ⇒ Target? private
Constructor Details
#initialize(formulae, ignore_patches: true, min_severity: nil) ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
128 129 130 131 132 |
# File 'vulns/scanner.rb', line 128 def initialize(formulae, ignore_patches: true, min_severity: nil) @formulae = formulae @ignore_patches = ignore_patches @min_severity_level = T.let(min_severity ? SEVERITY_LEVELS.fetch(min_severity) : 0, Integer) end |
Class Method Details
.repo_url(*urls) ⇒ String?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# File 'vulns/scanner.rb', line 28 def self.repo_url(*urls) urls.each do |url| next if url.nil? forge = FORGES.find { |f| url.include?(f) } next if forge.nil? match = url.match(%r{https?://#{Regexp.escape(forge)}/([^/]+/[^/]+)}) next if match.nil? repo_path = T.must(match[1]).sub(/\.git$/, "").sub(%r{/-/.*}, "") return "https://#{forge}/#{repo_path}" end nil end |
.resolved_ids(serialized_patches) ⇒ Array<String>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
79 80 81 82 83 84 85 |
# File 'vulns/scanner.rb', line 79 def self.resolved_ids(serialized_patches) serialized_patches .flat_map { |p| Array(p["resolves"]) } .select { |r| r.is_a?(Hash) && r["type"] == "security" } .map { |r| r["id"].to_s.upcase } .uniq end |
.source_from_sbom(prefix) ⇒ Array<([String, nil], [String, nil])>?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'vulns/scanner.rb', line 59 def self.source_from_sbom(prefix) file = prefix/SBOM::FILENAME return unless file.file? data = JSON.parse(file.read) src = Array(data["packages"]).find { |p| p["SPDXID"].to_s.match?(SBOM_SRC_SPDXID) } return if src.nil? url = src["downloadLocation"] url = nil if url == "NOASSERTION" version = src["versionInfo"] version = nil if version == "NOASSERTION" return if url.nil? && version.nil? [url, version] rescue JSON::ParserError nil end |
.tag(url) ⇒ String?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
45 46 47 48 49 50 51 52 53 |
# File 'vulns/scanner.rb', line 45 def self.tag(url) return if url.nil? TAG_PATTERNS.each do |pattern| match = url.match(pattern) return match[1] if match end nil end |
Instance Method Details
#build_target(formula) ⇒ Target?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 |
# File 'vulns/scanner.rb', line 184 def build_target(formula) stable = formula.stable stable_url = stable&.url head_url = formula.head&.url homepage = formula.homepage if (prefix = formula.any_installed_prefix) installed_pkg_version = formula.any_installed_version installed_version = installed_pkg_version&.version.to_s current_recipe_applies = installed_pkg_version == formula.pkg_version if (sbom = self.class.source_from_sbom(prefix)) sbom_url, sbom_version = sbom repo_url = self.class.repo_url(sbom_url, head_url, homepage) tag = self.class.tag(sbom_url) || sbom_version || installed_version.presence if repo_url && tag return Target.new(repo_url:, tag:, version: installed_version, from_installed_sbom: true, current_recipe_applies:) end end repo_url = self.class.repo_url(stable_url, head_url, homepage) tag = self.class.tag(stable_url) || stable&.specs&.[](:tag) || stable&.version&.to_s return if repo_url.nil? || tag.nil? return Target.new(repo_url:, tag:, version: installed_version, from_installed_sbom: false, current_recipe_applies:) end repo_url = self.class.repo_url(stable_url, head_url, homepage) tag = self.class.tag(stable_url) || stable&.specs&.[](:tag) || stable&.version&.to_s return if repo_url.nil? || tag.nil? Target.new(repo_url:, tag:, version: formula.version.to_s, from_installed_sbom: false, current_recipe_applies: true) end |
#fetch_vulnerabilities(ids) ⇒ Array<Vulnerability>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
230 231 232 233 234 235 236 237 |
# File 'vulns/scanner.rb', line 230 def fetch_vulnerabilities(ids) records = ids.each_slice(MAX_VULN_FETCH_THREADS).flat_map do |slice| slice .map { |v| Thread.new { OSV.vulnerability(v.fetch("id")) } } .map { |t| T.cast(t.value, T::Hash[String, T.untyped]) } end Vulnerability.from_osv_list(records) end |
#partition_patched(formula, target, vulns) ⇒ Array<(Array<Vulnerability>, Array<Vulnerability>)>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 |
# File 'vulns/scanner.rb', line 243 def partition_patched(formula, target, vulns) return [vulns, []] unless @ignore_patches # The current formula's `serialized_patches` reflects the recipe on # disk. If the scanned keg was built from an older recipe it may lack a # patch the recipe has since gained, so its `resolves` must not # suppress findings. return [vulns, []] unless target.current_recipe_applies resolved = self.class.resolved_ids(formula.serialized_patches) return [vulns, []] if resolved.empty? patched, open = vulns.partition do |v| v.identifiers.any? { |id| resolved.include?(id.to_s.upcase) } end [open, patched] end |
#scan ⇒ Results
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
# File 'vulns/scanner.rb', line 139 def scan queryable, skipped = @formulae.partition { |f| target_for(f) } outdated_without_sbom = queryable.select { |f| stale_target?(f) }.map(&:name) if queryable.empty? return Results.new(findings: [], checked: 0, skipped: skipped.size, outdated_without_sbom:) end targets = queryable.map { |f| T.must(target_for(f)) } batch = OSV.query_batch(targets.map { |t| { repo_url: t.repo_url, version: t.tag } }) findings = queryable.each_with_index.filter_map do |formula, index| target = targets.fetch(index) ids = batch.fetch(index) next if ids.empty? vulns = fetch_vulnerabilities(ids) .select { |v| v.affects_version?(target.tag) } .select { |v| v.severity_level >= @min_severity_level } next if vulns.empty? open, patched = partition_patched(formula, target, vulns) next if open.empty? && patched.empty? Finding.new( name: formula.name, version: target.version, tag: target.tag, repo_url: target.repo_url, open:, patched:, ) end Results.new(findings:, checked: queryable.size, skipped: skipped.size, outdated_without_sbom:) end |
#stale_target?(formula) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
222 223 224 225 226 227 |
# File 'vulns/scanner.rb', line 222 def stale_target?(formula) target = target_for(formula) return false if target.nil? || target.from_installed_sbom !target.current_recipe_applies end |
#target_for(formula) ⇒ Target?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
176 177 178 179 180 181 |
# File 'vulns/scanner.rb', line 176 def target_for(formula) @targets ||= T.let({}, T.nilable(T::Hash[String, T.nilable(Target)])) @targets.fetch(formula.full_name) do @targets[formula.full_name] = build_target(formula) end end |