@npmcli/metavuln-calculator
Advanced tools
Calculate meta-vulnerabilities from package security advisories
The @npmcli/metavuln-calculator package is designed to assess and calculate the vulnerability of npm packages by analyzing their dependencies. It helps in identifying known vulnerabilities in a project's dependency tree, allowing developers to understand and mitigate potential security risks in their npm packages.
Vulnerability Calculation
This feature allows developers to calculate the vulnerabilities in their npm package dependencies. The code sample demonstrates how to create a new instance of the calculator, passing in a cache object and the npm registry URL, and then calculate vulnerabilities using package metadata and advisories.
const Calculator = require('@npmcli/metavuln-calculator');
const calc = new Calculator({
cache: {},
registry: 'https://registry.npmjs.org'
});
calc.calculate(metadata, advisories).then(result => {
console.log(result);
});Similar to @npmcli/metavuln-calculator, npm-audit-resolver focuses on identifying and resolving vulnerabilities in npm packages. However, it provides a more interactive approach to resolving advisories by offering choices to ignore, fix, or review vulnerabilities manually.
Snyk is a broader security tool that not only covers npm packages but also other programming languages and ecosystems. It offers vulnerability detection and remediation advice. Compared to @npmcli/metavuln-calculator, Snyk provides a more comprehensive security analysis platform, including continuous monitoring and integration with CI/CD pipelines.
Calculate meta-vulnerabilities from package security advisories
This is a pretty low-level package to abstract out the parts of
@npmcli/arborist that calculate
metavulnerabilities from security advisories. If you just want to get an
audit for a package tree, probably what you want to use is
arborist.audit().
const Calculator = require('@npmcli/metavuln-calculator')
// pass in any options for cacache and pacote
// see those modules for option descriptions
const calculator = new Calculator(options)
// get an advisory somehow, typically by POSTing a JSON payload like:
// {"pkgname":["1.2.3","4.3.5", ...versions], ...packages}
// to /-/npm/v1/security/advisories/bulk
// to get a payload response like:
// {
// "semver": [
// {
// "id": 31,
// "url": "https://npmjs.com/advisories/31",
// "title": "Regular Expression Denial of Service",
// "severity": "moderate",
// "vulnerable_versions": "<4.3.2"
// }
// ],
// ...advisories
// }
const arb = new Aborist(options)
const tree = await arb.loadActual()
const advisories = await getBulkAdvisoryReportSomehow(tree)
// then to get a comprehensive set of advisories including metavulns:
const set = new Set()
for (const [name, advisory] of Object.entries(advisories)) {
// make sure we have the advisories loaded with latest version lists
set.add(await calculator.calculate(name, {advisory}))
}
for (const vuln of set) {
for (const node of tree.inventory.query('name', vuln.name)) {
// not vulnerable, just keep looking
if (!vuln.testVersion(node.version))
continue
for (const { from: dep, spec } of node.edgesIn) {
const metaAdvisory = await calculator.calculate(dep.name, vuln)
if (metaAdvisory.testVersion(dep.version, spec)) {
set.add(metaAdvisory)
}
}
}
}
The Calculator.calculate method returns a Promise that resolves to a
Advisory object, filled in from the cache and updated if necessary with
the available advisory data.
Do not instantiate Advisory objects directly. Use the calculate()
method to get one with appropriate data filled in.
Do not mutate Advisory objects. Use the supplied methods only.
name The name of the package that this vulnerability is aboutid The unique cache key for this vuln or metavuln. (See Cache Keys
below.)dependency For metavulns, the dependency that causes this package to be
have a vulnerability. For advisories, the same as name.type Either 'advisory' or 'metavuln', depending on the type of
vulnerability that this object represents.url The url for the advisory (null for metavulns)title The text title of the advisory or metavulnseverity The severity level info/low/medium/high/criticalrange The range that is vulnerableversions The set of available versions of the packagevulnerableVersions The set of versions that are vulnerablesource The numeric ID of the advisory, or the cache key of the
vulnerability that causes this metavulnupdated Boolean indicating whether this vulnerability was updated since
being read from cache.packument The packument object for the package that this vulnerability
is about.vuln.testVersion(version, [dependencySpecifier]) -> BooleanCheck to see if a given version is vulnerable. Returns true if the
version is vulnerable, and should be avoided.
For metavulns, dependencySpecifier indicates the version range of the
source of the vulnerability, which the module depends on. If not provided,
will attempt to read from the packument. If not provided, and unable to
read from the packument, then true is returned, indicating that the (not
installable) package version should be avoided.
The cache keys are calculated by hashing together the source and name
fields, prefixing with the string 'security-advisory:' and the name of
the dependency that is vulnerable.
So, a third-level metavulnerability might have a key like:
'security-advisory:foo:'+ hash(['foo', hash(['bar', hash(['baz', 123])])])
Thus, the cached entry with this key would reflect the version of foo
that is vulnerable by virtue of dependending exclusively on versions of
bar which are vulnerable by virtue of depending exclusively on versions
of baz which are vulnerable by virtue of advisory ID 123.
Loading advisory data entirely from cache without hitting an npm registry security advisory endpoint is not supported at this time, but technically possible, and likely to come in a future version of this library.
calculator = new Calculator(options)Options object is used for cacache and pacote calls.
calculator.calculate(name, source)name The name of the package that the advisory is aboutsource Advisory object from the npm security endpoint, or a Advisory
object returned by a previous call to the calculate() method.
"Advisory" objects need to have:
id id of the advisory or Advisory objectvulnerable_versions range of versions affectedurltitleseverityFetches the packument and returns a Promise that resolves to a vulnerability object described above.
Will perform required I/O to fetch package metadata from registry and read from cache. Advisory information written back to cache.
Typically, dependency ranges don't change very frequently, and the most recent version published on a given release line is most likely to contain the fix for a given vulnerability.
So, we see things like this:
3.0.4 - not vulnerable
3.0.3 - vulnerable
3.0.2 - vulnerable
3.0.1 - vulnerable
3.0.0 - vulnerable
2.3.107 - not vulnerable
2.3.106 - not vulnerable
2.3.105 - vulnerable
... 523 more vulnerable versions ...
2.0.0 - vulnerable
1.1.102 - not vulnerable
1.1.101 - vulnerable
... 387 more vulnerable versions ...
0.0.0 - vulnerable
In order to determine which versions of a package are affected by a vulnerability in a dependency, this module uses the following algorithm to minimize the number of tests required by performing a binary search on each version set, and presuming that versions between vulnerable versions within a given set are also vulnerable.
Sort list of available versions by SemVer precedence
Group versions into sets based on MAJOR/MINOR versions.
3.0.0 - 3.0.4
2.3.0 - 2.3.107
2.2.0 - 2.2.43
2.1.0 - 2.1.432
2.0.0 - 2.0.102
1.1.0 - 1.1.102
1.0.0 - 1.0.157
0.1.0 - 0.1.123
0.0.0 - 0.0.57
Test the highest and lowest in each MAJOR/MINOR set, and mark highest
and lowest with known-vulnerable status. ((s) means "safe" and (v)
means "vulnerable".)
3.0.0(v) - 3.0.4(s)
2.3.0(v) - 2.3.107(s)
2.2.0(v) - 2.2.43(v)
2.1.0(v) - 2.1.432(v)
2.0.0(v) - 2.0.102(v)
1.1.0(v) - 1.1.102(s)
1.0.0(v) - 1.0.157(v)
0.1.0(v) - 0.1.123(v)
0.0.0(v) - 0.0.57(v)
For each set of package versions:
If highest and lowest both vulnerable, assume entire set is vulnerable, and continue to next set. Ie, in the example, throw out the following version sets:
2.2.0(v) - 2.2.43(v)
2.1.0(v) - 2.1.432(v)
2.0.0(v) - 2.0.102(v)
1.0.0(v) - 1.0.157(v)
0.1.0(v) - 0.1.123(v)
0.0.0(v) - 0.0.57(v)
Test middle version MID in set, splitting into two sets.
3.0.0(v) - 3.0.2(v) - 3.0.4(s)
2.3.0(v) - 2.3.54(v) - 2.3.107(s)
1.1.0(v) - 1.1.51(v) - 1.1.102(s)
If any untested versions in Set(mid..highest) or Set(lowest..mid), add to list of sets to test.
3.0.0(v) - 3.0.2(v) <-- thrown out on next iteration
3.0.2(v) - 3.0.4(s)
2.3.0(v) - 2.3.54(v) <-- thrown out on next iteration
2.3.54(v) - 2.3.107(s)
1.1.0(v) - 1.1.51(v) <-- thrown out on next iteration
1.1.51(v) - 1.1.102(s)
When the process finishes, all versions are either confirmed safe, or confirmed/assumed vulnerable, and we avoid checking large sets of versions where vulnerabilities went unfixed.
When the dependency is in bundleDependencies, we treat any dependent
version that may be vulnerable as a vulnerability. If the dependency is
not in bundleDependencies, then we treat the dependent module as a
vulnerability if it can only resolve to dependency versions that are
vulnerable.
This relies on the reasonable assumption that the version of a bundled dependency will be within the stated dependency range, and accounts for the fact that we can't know ahead of time which version of a dependency may be bundled. So, we avoid versions that may bundle a vulnerable dependency.
For example:
Package foo depends on package bar at the following version ranges:
foo version bar version range
1.0.0 ^1.2.3
1.0.1 ^1.2.4
1.0.2 ^1.2.5
1.1.0 ^1.3.1
1.1.1 ^1.3.2
1.1.2 ^1.3.3
2.0.0 ^2.0.0
2.0.1 ^2.0.1
2.0.2 ^2.0.2
There is an advisory for bar@1.2.4 - 1.3.2. So:
foo version vulnerable?
1.0.0 if bundled (can use 1.2.3, which is not vulnerable)
1.0.1 yes (must use ^1.2.4, entirely contained in vuln range)
1.0.2 yes (must use ^1.2.5, entirely contained in vuln range)
1.1.0 if bundled (can use 1.3.3, which is not vulnerable)
1.1.1 if bundled (can use 1.3.3, which is not vulnerable)
1.1.2 no (dep is outside of vuln range)
2.0.0 no (dep is outside of vuln range)
2.0.1 no (dep is outside of vuln range)
2.0.2 no (dep is outside of vuln range)
To test a package version for metaVulnerable status, we attempt to load the
manifest of the dependency, using the vulnerable version set as the avoid
versions. If we end up selecting a version that should be avoided, then
that means that the package is vulnerable by virtue of its dependency.
FAQs
Calculate meta-vulnerabilities from package security advisories
We found that @npmcli/metavuln-calculator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.
Security News
A new "revival hijack" supply chain attack targets deleted Python packages, with an estimated 22K packages at risk. Socket can detect and block hijacked packages that have added malicious code.
Product
We're introducing a new Analytics feature in the Socket dashboard so you can view changes in your organization's and repositories' alerts over time.