is-my-node-vulnerable
Advanced tools
Comparing version 1.2.0 to 1.3.0
@@ -7,4 +7,6 @@ const core = require('@actions/core') | ||
const nodeVersion = core.getInput('node-version', { required: true }) | ||
core.info(`Checking Node.js version ${nodeVersion}...`) | ||
const isVulnerable = await isNodeVulnerable(nodeVersion) | ||
const platform = core.getInput('platform', { required: false }) | ||
core.info(`Checking Node.js version ${nodeVersion} with platform ${platform}...`) | ||
const isVulnerable = await isNodeVulnerable(nodeVersion, platform) | ||
if (isVulnerable) { | ||
@@ -11,0 +13,0 @@ core.setFailed(`Node.js version ${nodeVersion} is vulnerable. Please upgrade!`) |
41
index.js
@@ -7,2 +7,3 @@ #!/usr/bin/env node | ||
const path = require('path') | ||
const os = require('os') | ||
const debug = require('debug')('is-my-node-vulnerable') | ||
@@ -63,9 +64,31 @@ const satisfies = require('semver/functions/satisfies') | ||
function getVulnerabilityList (currentVersion, data) { | ||
const checkPlatform = platform => { | ||
const availablePlatforms = ['aix', 'darwin', 'freebsd', 'linux', 'openbsd', 'sunos', 'win32', 'android'] | ||
if (platform && !availablePlatforms.includes(platform)) { | ||
throw new Error(`platform ${platform} is not valid. Please use ${availablePlatforms.join(',')}.`) | ||
} | ||
} | ||
const isSystemAffected = (platform, affectedEnvironments) => { | ||
// No platform specified (legacy mode) | ||
if (!platform || !Array.isArray(affectedEnvironments)) { | ||
return true | ||
} | ||
// If the environment is matching or all the environments are affected | ||
if (affectedEnvironments.includes(platform) || affectedEnvironments.includes('all')) { | ||
return true | ||
} | ||
// Default to false | ||
return false | ||
} | ||
function getVulnerabilityList (currentVersion, data, platform) { | ||
const list = [] | ||
for (const key in data) { | ||
const vuln = data[key] | ||
if ( | ||
satisfies(currentVersion, vuln.vulnerable) && | ||
!satisfies(currentVersion, vuln.patched) | ||
( | ||
satisfies(currentVersion, vuln.vulnerable) && | ||
!satisfies(currentVersion, vuln.patched) | ||
) && isSystemAffected(platform, vuln.affectedEnvironments) | ||
) { | ||
@@ -78,3 +101,4 @@ list.push(`${bold(vuln.cve)}: ${vuln.overview}\n${bold('Patched versions')}: ${vuln.patched}`) | ||
async function main (currentVersion) { | ||
async function main (currentVersion, platform) { | ||
checkPlatform(platform) | ||
const isEOL = await isNodeEOL(currentVersion) | ||
@@ -88,3 +112,3 @@ if (isEOL) { | ||
const coreIndex = await getCoreIndex() | ||
const list = getVulnerabilityList(currentVersion, coreIndex) | ||
const list = getVulnerabilityList(currentVersion, coreIndex, platform) | ||
if (list.length) { | ||
@@ -122,3 +146,4 @@ console.error(danger) | ||
async function isNodeVulnerable (version) { | ||
async function isNodeVulnerable (version, platform) { | ||
checkPlatform(platform) | ||
const isEOL = await isNodeEOL(version) | ||
@@ -130,3 +155,3 @@ if (isEOL) { | ||
const coreIndex = await getCoreIndex() | ||
const list = getVulnerabilityList(version, coreIndex) | ||
const list = getVulnerabilityList(version, coreIndex, platform) | ||
return list.length > 0 | ||
@@ -141,3 +166,3 @@ } | ||
if (require.main === module) { | ||
main(process.version) | ||
main(process.version, os.platform()) | ||
} else { | ||
@@ -144,0 +169,0 @@ module.exports = { |
{ | ||
"name": "is-my-node-vulnerable", | ||
"version": "1.2.0", | ||
"version": "1.3.0", | ||
"description": "package that checks if your Node.js installation is vulnerable to known security vulnerabilities", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -82,2 +82,10 @@ # is-my-node-vulnerable | ||
Optionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`. | ||
```js | ||
const { isNodeVulnerable } = require('is-my-node-vulnerable') | ||
isNodeVulnerable('19.0.0', 'linux') // true | ||
``` | ||
[Node.js Security Database]: https://github.com/nodejs/security-wg/tree/main/vuln | ||
@@ -105,2 +113,13 @@ | ||
node-version: "18.14.1" | ||
``` | ||
Optionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`. | ||
```yml | ||
- uses: actions/checkout@v3 | ||
- name: Check Node.js | ||
uses: RafaelGSS/is-my-node-vulnerable@v1.2.0 | ||
with: | ||
node-version: "18.14.1" | ||
platform: "linux" | ||
``` |
@@ -25,4 +25,10 @@ const assert = require('assert') | ||
assert.ok(await isNodeVulnerable('v0.12.18')) | ||
// Platform specific | ||
assert.ok(await isNodeVulnerable('19.0.0', 'linux')) | ||
assert.ok(await isNodeVulnerable('18.0.0', 'win32')) | ||
assert.ok(await isNodeVulnerable('14.0.0', 'android')) | ||
assert.rejects(() => isNodeVulnerable('20.0.0', 'non-valid-platform'), /platform non-valid-platform is not valid. Please use aix,darwin,freebsd,linux,openbsd,sunos,win32,android/) | ||
} | ||
t() |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
1356306
35437
123
0