8000 Merge branch 'main' into feat_lockfile_only_flag · denoland/deno@1f2c292 · GitHub
[go: up one dir, main page]
Skip to content

Commit 1f2c292

Browse files
dsherretdsherret
authored
Merge branch 'main' into feat_lockfile_only_flag
2 parents e54fc3f + 2b20d4a commit 1f2c292

File tree

6 files changed

+218
-47
lines changed

6 files changed

+218
-47
lines changed

Cargo.lock

Lines changed: 11 additions & 29 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -80,10 +80,10 @@ deno_unsync = { version = "0.4.4", default-features = false }
8080
deno_whoami = "0.1.0"
8181
eszip = "=0.104.0"
8282

83-
denokv_proto = "0.12.0"
84-
denokv_remote = "0.12.0"
83+
denokv_proto = "0.13.0"
84+
denokv_remote = "0.13.0"
8585
# denokv_sqlite brings in bundled sqlite if we don't disable the default features
86-
denokv_sqlite = { default-features = false, version = "0.12.0" }
86+
denokv_sqlite = { default-features = false, version = "0.13.0" }
8787

8888
# exts
8989
deno_bundle_runtime = { version = "0.8.0", path = "./ext/bundle" }
@@ -230,7 +230,7 @@ rand = "=0.8.5"
230230
rayon = "1.8.0"
231231
regex = "^1.7.0"
232232
reqwest = { version = "=0.12.5", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json", "http2"] } # pinned because of https://github.com/seanmonstar/reqwest/pull/1955
233-
rusqlite = { version = "0.34.0", features = ["unlock_notify", "bundled", "session", "modern_sqlite", "limits", "backup"] } # "modern_sqlite": need sqlite >= 3.49.0 for some db configs
233+
rusqlite = { version = "0.37.0", features = ["unlock_notify", "bundled", "session", "modern_sqlite", "limits", "backup"] } # "modern_sqlite": need sqlite >= 3.49.0 for some db configs
234234
rustls = { version = "=0.23.28", default-features = false, features = ["logging", "std", "tls12", "aws_lc_rs"] }
235235
rustls-pemfile = "2"
236236
rustls-tokio-stream = "=0.8.0"

cli/tools/pm/audit.rs

Lines changed: 71 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ use deno_core::serde_json;
1212
use deno_npm::resolution::NpmResolutionSnapshot;
1313
use deno_resolver::npmrc::npm_registry_url;
1414
use eszip::v2::Url;
15+
use http::header::HeaderName;
16+
use http::header::HeaderValue;
1517
use serde::Deserialize;
1618
use serde::Serialize;
1719

@@ -561,25 +563,84 @@ mod socket_dev {
561563
npm_resolution_snapshot: &NpmResolutionSnapshot,
562564
client: HttpClient,
563565
) -> Result<(), AnyError> {
564-
let socket_dev_url = std::env::var("SOCKET_DEV_URL")
565-
.ok()
566-
.unwrap_or_else(|| "https://firewall-api.socket.dev/".to_string());
567-
568566
let purls = npm_resolution_snapshot
569567
.all_packages_for_every_system()
570568
.map(|package| {
571569
format!("pkg:npm/{}@{}", package.id.nv.name, package.id.nv.version)
572570
})
573571
.collect::<Vec<_>>();
574572

573+
let api_key = std::env::var("SOCKET_API_KEY").ok();
574+
575+
let mut purl_responses = if let Some(api_key) = api_key {
576+
call_authenticated_api(&client, &purls, &api_key).await?
577+
} else {
578+
call_unauthenticated_api(&client, &purls).await?
579+
};
580+
581+
purl_responses.sort_by_cached_key(|r| r.name.to_string());
582+
583+
print_firewall_report(&purl_responses);
584+
585+
Ok(())
586+
}
587+
588+
async fn call_authenticated_api(
589+
client: &HttpClient,
590+
purls: &[String],
591+
api_key: &str,
592+
) -> Result<Vec<FirewallResponse>, AnyError> {
593+
let socket_dev_url =
594+
std::env::var("SOCKET_DEV_URL").ok().unwrap_or_else(|| {
595+
"https://api.socket.dev/v0/purl?actions=error,warn".to_string()
596+
});
597+
let url = Url::parse(&socket_dev_url).unwrap();
598+
599+
let body = serde_json::json!({
600+
"components": purls.iter().map(|purl| {
601+
serde_json::json!({ "purl": purl })
602+
}).collect::<Vec<_>>()
603+
});
604+
605+
let auth_value = HeaderValue::from_str(&format!("Bearer {}", api_key))
606+
.context("Failed to create Authorization header")?;
607+
608+
let request = client
609+
.post_json(url, &body)?
610+
.header(HeaderName::from_static("authorization"), auth_value);
611+
612+
let response = request.send().boxed_local().await?;
613+
let text = http_util::body_to_string(response).await?;
614+
615+
// Response is nJSON
616+
let responses = text
617+
.lines()
618+
.filter(|line| !line.trim().is_empty())
619+
.map(|line| {
620+
serde_json::from_str::<FirewallResponse>(line)
621+
.context("Failed to parse Socket.dev response")
622+
})
623+
.collect::<Result<Vec<_>, _>>()?;
624+
625+
Ok(responses)
626+
}
627+
628+
async fn call_unauthenticated_api(
629+
client: &HttpClient,
630+
purls: &[String],
631+
) -> Result<Vec<FirewallResponse>, AnyError> {
632+
let socket_dev_url = std::env::var("SOCKET_DEV_URL")
633+
.ok()
634+
.unwrap_or_else(|| "https://firewall-api.socket.dev/".to_string());
635+
575636
let futures = purls
576-
.into_iter()
637+
.iter()
577638
.map(|purl| {
578639
let url = Url::parse(&format!(
579640
"{}purl/{}",
580641
socket_dev_url,
581642
percent_encoding::utf8_percent_encode(
582-
&purl,
643+
purl,
583644
percent_encoding::NON_ALPHANUMERIC
584645
)
585646
))
@@ -592,7 +653,8 @@ mod socket_dev {
592653
.buffer_unordered(20)
593654
.collect::<Vec<_>>()
594655
.await;
595-
let mut purl_responses = purl_results
656+
657+
let responses = purl_results
596658
.into_iter()
597659
.filter_map(|result| match result {
598660
Ok(a) => Some(a),
@@ -607,17 +669,13 @@ mod socket_dev {
607669
response
608670
})
609671
.collect::<Vec<_>>();
610-
purl_responses.sort_by_cached_key(|r| r.name.to_string());
611-
612-
print_firewall_report(&purl_responses);
613672

614-
Ok(())
673+
Ok(responses)
615674
}
616675

617676
fn print_firewall_report(responses: &[FirewallResponse]) {
618677
let stdout = &mut std::io::stdout();
619678

620-
// Separator
621679
_ = writeln!(stdout);
622680
_ = writeln!(stdout, "{}", colors::bold("Socket.dev firewall report"));
623681
_ = writeln!(stdout);
@@ -638,7 +696,6 @@ mod socket_dev {
638696

639697
_ = writeln!(stdout, "╭ pkg:npm/{}@{}", response.name, response.version);
640698

641-
// Print scores if available
642699
if let Some(score) = &response.score {
643700
_ = writeln!(
644701
stdout,
@@ -672,7 +729,7 @@ mod socket_dev {
672729
);
673730
}
674731

675-
// Count alerts by severity
732+
// critical and high are counted as one for display.
676733
let mut critical_count = 0;
677734
let mut medium_count = 0;
678735
let mut low_count = 0;

tests/specs/audit/package_json_only/__test__.jsonc

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,14 @@
1414
"args": "audit --socket",
1515
"output": "audit_socket.out",
1616
"exitCode": 1
17+
},
18+
{
19+
"args": "audit --socket",
20+
"output": "audit_socket_authenticated.out",
21+
"exitCode": 1,
22+
"envs": {
23+
"SOCKET_API_KEY": "test-api-key-12345"
24+
}
1725
}
1826
]
1927
}

tests/specs/audit/package_json_only/audit_socket_authenticated.out

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
╭ @denotest/with-vuln1 is susceptible to prototype pollution
2+
│ Severity: high
3+
│ Package: @edenotest/with-vuln1
4+
│ Vulnerable: <1.1.0
5+
│ Patched: >=1.1.0
6+
│ Path: @denotest/with-vuln1
7+
│ Info: https://example.com/vuln/101010
8+
╰ Actions: install @denotest/with-vuln1@1.1.0
9+
10+
╭ @denotest/with-vuln2 can steal crypto keys
11+
│ Severity: critical
12+
│ Package: @edenotest/with-vuln2
13+
│ Vulnerable: <2.0.0
14+
│ Patched: >=2.0.0
15+
│ Path: @denotest/using-vuln>@denotest/with-vuln2
16+
│ Info: https://example.com/vuln/202020
17+
│ Actions: install @denotest/with-vuln2@2.0.0 (major upgrade)
18+
╰ review @denotest/with-vuln2
19+
20+
Found 2 vulnerabilities
21+
Severity: 0 low, 0 moderate, 1 high, 1 critical
22+
23+
Socket.dev firewall report
24+
25+
╭ pkg:npm/@denotest/using-vuln@1.0.0
26+
│ Supply Chain Risk: 100
27+
│ Maintenance: 78
28+
│ Quality: 94
29+
│ Vulnerabilities: 100
30+
│ License: 100
31+
╰ Alerts (1/0/0): [critical] malware
32+
33+
╭ pkg:npm/@denotest/with-vuln1@1.0.0
34+
│ Supply Chain Risk: 100
35+
│ Maintenance: 78
36+
│ Quality: 94
37+
│ Vulnerabilities: 100
38+
│ License: 100
39+
╰ Alerts (1/0/0): [critical] malware
40+
41+
╭ pkg:npm/@denotest/with-vuln2@1.5.0
42+
│ Supply Chain Risk: 100
43+
│ Maintenance: 78
44+
│ Quality: 94
45+
│ Vulnerabilities: 100
46+
│ License: 100
47+
╰ Alerts (1/0/0): [critical] malware
48+
49+
Found 3 alerts across 3 packages
50+
Severity: 0 low, 0 medium, 0 high, 3 critical

0 commit comments

Comments
 (0)
0