is-my-node-vulnerable - npm Package Compare versions

Comparing version 1.2.0 to 1.3.0

action.js

@@ -7,4 +7,6 @@ const core = require('@actions/core')
   const nodeVersion = core.getInput('node-version', { required: true })
-  core.info(`Checking Node.js version ${nodeVersion}...`)
-  const isVulnerable = await isNodeVulnerable(nodeVersion)
+  const platform = core.getInput('platform', { required: false })
+
+  core.info(`Checking Node.js version ${nodeVersion} with platform ${platform}...`)
+  const isVulnerable = await isNodeVulnerable(nodeVersion, platform)
   if (isVulnerable) {
@@ -11,0 +13,0 @@ core.setFailed(`Node.js version ${nodeVersion} is vulnerable. Please upgrade!`)

index.js

@@ -7,2 +7,3 @@ #!/usr/bin/env node
 const path = require('path')
+const os = require('os')
 const debug = require('debug')('is-my-node-vulnerable')
@@ -63,9 +64,31 @@ const satisfies = require('semver/functions/satisfies')
 
-function getVulnerabilityList (currentVersion, data) {
+const checkPlatform = platform => {
+  const availablePlatforms = ['aix', 'darwin', 'freebsd', 'linux', 'openbsd', 'sunos', 'win32', 'android']
+  if (platform && !availablePlatforms.includes(platform)) {
+    throw new Error(`platform ${platform} is not valid. Please use ${availablePlatforms.join(',')}.`)
+  }
+}
+const isSystemAffected = (platform, affectedEnvironments) => {
+  // No platform specified (legacy mode)
+  if (!platform || !Array.isArray(affectedEnvironments)) {
+    return true
+  }
+  // If the environment is matching or all the environments are affected
+  if (affectedEnvironments.includes(platform) || affectedEnvironments.includes('all')) {
+    return true
+  }
+  // Default to false
+  return false
+}
+
+function getVulnerabilityList (currentVersion, data, platform) {
   const list = []
   for (const key in data) {
     const vuln = data[key]
+
     if (
-      satisfies(currentVersion, vuln.vulnerable) &&
-      !satisfies(currentVersion, vuln.patched)
+      (
+        satisfies(currentVersion, vuln.vulnerable) &&
+        !satisfies(currentVersion, vuln.patched)
+      ) && isSystemAffected(platform, vuln.affectedEnvironments)
     ) {
@@ -78,3 +101,4 @@ list.push(`${bold(vuln.cve)}: ${vuln.overview}\n${bold('Patched versions')}: ${vuln.patched}`)
 
-async function main (currentVersion) {
+async function main (currentVersion, platform) {
+  checkPlatform(platform)
   const isEOL = await isNodeEOL(currentVersion)
@@ -88,3 +112,3 @@ if (isEOL) {
   const coreIndex = await getCoreIndex()
-  const list = getVulnerabilityList(currentVersion, coreIndex)
+  const list = getVulnerabilityList(currentVersion, coreIndex, platform)
   if (list.length) {
@@ -122,3 +146,4 @@ console.error(danger)
 
-async function isNodeVulnerable (version) {
+async function isNodeVulnerable (version, platform) {
+  checkPlatform(platform)
   const isEOL = await isNodeEOL(version)
@@ -130,3 +155,3 @@ if (isEOL) {
   const coreIndex = await getCoreIndex()
-  const list = getVulnerabilityList(version, coreIndex)
+  const list = getVulnerabilityList(version, coreIndex, platform)
   return list.length > 0
@@ -141,3 +166,3 @@ }
 if (require.main === module) {
-  main(process.version)
+  main(process.version, os.platform())
 } else {
@@ -144,0 +169,0 @@ module.exports = {

package.json

 {
   "name": "is-my-node-vulnerable",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "package that checks if your Node.js installation is vulnerable to known security vulnerabilities",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -82,2 +82,10 @@ # is-my-node-vulnerable
 
+Optionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`.
+
+```js
+const { isNodeVulnerable } = require('is-my-node-vulnerable')
+
+isNodeVulnerable('19.0.0', 'linux') // true
+```
+
 [Node.js Security Database]: https://github.com/nodejs/security-wg/tree/main/vuln
@@ -105,2 +113,13 @@
           node-version: "18.14.1"
+```
+
+Optionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`.
+
+```yml
+      - uses: actions/checkout@v3
+      - name: Check Node.js
+        uses: RafaelGSS/is-my-node-vulnerable@v1.2.0
+        with:
+          node-version: "18.14.1"
+          platform: "linux"
 ```

test.js

@@ -25,4 +25,10 @@ const assert = require('assert')
   assert.ok(await isNodeVulnerable('v0.12.18'))
+
+  // Platform specific
+  assert.ok(await isNodeVulnerable('19.0.0', 'linux'))
+  assert.ok(await isNodeVulnerable('18.0.0', 'win32'))
+  assert.ok(await isNodeVulnerable('14.0.0', 'android'))
+  assert.rejects(() => isNodeVulnerable('20.0.0', 'non-valid-platform'), /platform non-valid-platform is not valid. Please use aix,darwin,freebsd,linux,openbsd,sunos,win32,android/)
 }
 
 t()

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1356306

increased by0.23%

Lines of code

35437

increased by0.15%

Number of lines in readme file

123

increased by18.27%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes