Class: Homebrew::Vulns::Scanner Private

Inherits:
Object
  • Object
show all
Defined in:
vulns/scanner.rb

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Defined Under Namespace

Classes: Finding, Results

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(formulae, ignore_patches: true, min_severity: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

  • formulae (Array<Formula>)
  • ignore_patches (Boolean) (defaults to: true)
  • min_severity (Symbol, nil) (defaults to: nil)


128
129
130
131
132
# File 'vulns/scanner.rb', line 128

def initialize(formulae, ignore_patches: true, min_severity: nil)
  @formulae = formulae
  @ignore_patches = ignore_patches
  @min_severity_level = T.let(min_severity ? SEVERITY_LEVELS.fetch(min_severity) : 0, Integer)
end

Class Method Details

.repo_url(*urls) ⇒ String?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'vulns/scanner.rb', line 28

def self.repo_url(*urls)
  urls.each do |url|
    next if url.nil?

    forge = FORGES.find { |f| url.include?(f) }
    next if forge.nil?

    match = url.match(%r{https?://#{Regexp.escape(forge)}/([^/]+/[^/]+)})
    next if match.nil?

    repo_path = T.must(match[1]).sub(/\.git$/, "").sub(%r{/-/.*}, "")
    return "https://#{forge}/#{repo_path}"
  end
  nil
end

.resolved_ids(serialized_patches) ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



79
80
81
82
83
84
85
# File 'vulns/scanner.rb', line 79

def self.resolved_ids(serialized_patches)
  serialized_patches
    .flat_map { |p| Array(p["resolves"]) }
    .select { |r| r.is_a?(Hash) && r["type"] == "security" }
    .map { |r| r["id"].to_s.upcase }
    .uniq
end

.source_from_sbom(prefix) ⇒ Array<([String, nil], [String, nil])>?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'vulns/scanner.rb', line 59

def self.source_from_sbom(prefix)
  file = prefix/SBOM::FILENAME
  return unless file.file?

  data = JSON.parse(file.read)
  src = Array(data["packages"]).find { |p| p["SPDXID"].to_s.match?(SBOM_SRC_SPDXID) }
  return if src.nil?

  url = src["downloadLocation"]
  url = nil if url == "NOASSERTION"
  version = src["versionInfo"]
  version = nil if version == "NOASSERTION"
  return if url.nil? && version.nil?

  [url, version]
rescue JSON::ParserError
  nil
end

.tag(url) ⇒ String?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



45
46
47
48
49
50
51
52
53
# File 'vulns/scanner.rb', line 45

def self.tag(url)
  return if url.nil?

  TAG_PATTERNS.each do |pattern|
    match = url.match(pattern)
    return match[1] if match
  end
  nil
end

Instance Method Details

#build_target(formula) ⇒ Target?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Target, nil)


184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
# File 'vulns/scanner.rb', line 184

def build_target(formula)
  stable = formula.stable
  stable_url = stable&.url
  head_url = formula.head&.url
  homepage = formula.homepage

  if (prefix = formula.any_installed_prefix)
    installed_pkg_version = formula.any_installed_version
    installed_version = installed_pkg_version&.version.to_s
    current_recipe_applies = installed_pkg_version == formula.pkg_version

    if (sbom = self.class.source_from_sbom(prefix))
      sbom_url, sbom_version = sbom
      repo_url = self.class.repo_url(sbom_url, head_url, homepage)
      tag = self.class.tag(sbom_url) || sbom_version || installed_version.presence
      if repo_url && tag
        return Target.new(repo_url:, tag:, version: installed_version,
                          from_installed_sbom: true, current_recipe_applies:)
      end
    end

    repo_url = self.class.repo_url(stable_url, head_url, homepage)
    tag = self.class.tag(stable_url) || stable&.specs&.[](:tag) || stable&.version&.to_s
    return if repo_url.nil? || tag.nil?

    return Target.new(repo_url:, tag:, version: installed_version,
                      from_installed_sbom: false, current_recipe_applies:)
  end

  repo_url = self.class.repo_url(stable_url, head_url, homepage)
  tag = self.class.tag(stable_url) || stable&.specs&.[](:tag) || stable&.version&.to_s
  return if repo_url.nil? || tag.nil?

  Target.new(repo_url:, tag:, version: formula.version.to_s,
             from_installed_sbom: false, current_recipe_applies: true)
end

#fetch_vulnerabilities(ids) ⇒ Array<Vulnerability>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



230
231
232
233
234
235
236
237
# File 'vulns/scanner.rb', line 230

def fetch_vulnerabilities(ids)
  records = ids.each_slice(MAX_VULN_FETCH_THREADS).flat_map do |slice|
    slice
      .map { |v| Thread.new { OSV.vulnerability(v.fetch("id")) } }
      .map { |t| T.cast(t.value, T::Hash[String, T.untyped]) }
  end
  Vulnerability.from_osv_list(records)
end

#partition_patched(formula, target, vulns) ⇒ Array<(Array<Vulnerability>, Array<Vulnerability>)>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
# File 'vulns/scanner.rb', line 243

def partition_patched(formula, target, vulns)
  return [vulns, []] unless @ignore_patches
  # The current formula's `serialized_patches` reflects the recipe on
  # disk. If the scanned keg was built from an older recipe it may lack a
  # patch the recipe has since gained, so its `resolves` must not
  # suppress findings.
  return [vulns, []] unless target.current_recipe_applies

  resolved = self.class.resolved_ids(formula.serialized_patches)
  return [vulns, []] if resolved.empty?

  patched, open = vulns.partition do |v|
    v.identifiers.any? { |id| resolved.include?(id.to_s.upcase) }
  end
  [open, patched]
end

#scanResults

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# File 'vulns/scanner.rb', line 139

def scan
  queryable, skipped = @formulae.partition { |f| target_for(f) }
  outdated_without_sbom = queryable.select { |f| stale_target?(f) }.map(&:name)
  if queryable.empty?
    return Results.new(findings: [], checked: 0, skipped: skipped.size, outdated_without_sbom:)
  end

  targets = queryable.map { |f| T.must(target_for(f)) }
  batch = OSV.query_batch(targets.map { |t| { repo_url: t.repo_url, version: t.tag } })

  findings = queryable.each_with_index.filter_map do |formula, index|
    target = targets.fetch(index)
    ids = batch.fetch(index)
    next if ids.empty?

    vulns = fetch_vulnerabilities(ids)
            .select { |v| v.affects_version?(target.tag) }
            .select { |v| v.severity_level >= @min_severity_level }
    next if vulns.empty?

    open, patched = partition_patched(formula, target, vulns)
    next if open.empty? && patched.empty?

    Finding.new(
      name:     formula.name,
      version:  target.version,
      tag:      target.tag,
      repo_url: target.repo_url,
      open:,
      patched:,
    )
  end

  Results.new(findings:, checked: queryable.size, skipped: skipped.size, outdated_without_sbom:)
end

#stale_target?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean)


222
223
224
225
226
227
# File 'vulns/scanner.rb', line 222

def stale_target?(formula)
  target = target_for(formula)
  return false if target.nil? || target.from_installed_sbom

  !target.current_recipe_applies
end

#target_for(formula) ⇒ Target?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Target, nil)


176
177
178
179
180
181
# File 'vulns/scanner.rb', line 176

def target_for(formula)
  @targets ||= T.let({}, T.nilable(T::Hash[String, T.nilable(Target)]))
  @targets.fetch(formula.full_name) do
    @targets[formula.full_name] = build_target(formula)
  end
end