From 9438ff3d53681aa990c605a66c9f812152687031 Mon Sep 17 00:00:00 2001 From: Jefferson Date: Thu, 14 Aug 2025 13:59:05 -0500 Subject: [PATCH 1/2] enhancements Signed-off-by: Jefferson --- .github/workflows/check-vulns.yml | 1 + .github/workflows/create_issue.sh | 7 +++ .github/workflows/format_matrix.py | 7 +++ dep_checker/npm_audit.py | 99 +++++++++++++++++++++--------- 4 files changed, 86 insertions(+), 28 deletions(-) diff --git a/.github/workflows/check-vulns.yml b/.github/workflows/check-vulns.yml index 9385c4c..d91b1b2 100644 --- a/.github/workflows/check-vulns.yml +++ b/.github/workflows/check-vulns.yml @@ -110,6 +110,7 @@ jobs: VULN_DEP_NAME: ${{ matrix.vulnerabilities.dependency }} VULN_DEP_VERSION: ${{ matrix.vulnerabilities.version }} VULN_SOURCE: ${{ matrix.vulnerabilities.source }} + VULN_TITLE: ${{ matrix.vulnerabilities.title }} VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }} VULN_MAIN_DEP_PATH: ${{ matrix.vulnerabilities.main_dep_path }} NODEJS_STREAM: ${{ inputs.nsolidStream }} diff --git a/.github/workflows/create_issue.sh b/.github/workflows/create_issue.sh index f2a7f4b..fe8ea1e 100755 --- a/.github/workflows/create_issue.sh +++ b/.github/workflows/create_issue.sh @@ -21,6 +21,7 @@ VULN_URL="${VULN_URL}" VULN_DEP_NAME="${VULN_DEP_NAME}" VULN_DEP_VERSION="${VULN_DEP_VERSION}" VULN_SOURCE="${VULN_SOURCE}" +VULN_TITLE="${VULN_TITLE:-}" VULN_MAIN_DEP_NAME="${VULN_MAIN_DEP_NAME:-}" VULN_MAIN_DEP_PATH="${VULN_MAIN_DEP_PATH:-}" NODEJS_STREAM="${NODEJS_STREAM}" @@ -35,6 +36,12 @@ ISSUE_BODY="A new vulnerability for ${VULN_DEP_NAME} ${VULN_DEP_VERSION} was fou Vulnerability ID: ${VULN_ID} Vulnerability URL: ${VULN_URL}" +# Add vulnerability title if available +if [ -n "${VULN_TITLE}" ]; then + ISSUE_BODY="${ISSUE_BODY} +Vulnerability Title: ${VULN_TITLE}" +fi + # Add npm-specific info if applicable if [ "${VULN_SOURCE}" = "npm" ] && [ -n "${VULN_MAIN_DEP_NAME}" ]; then ISSUE_BODY="${ISSUE_BODY} diff --git a/.github/workflows/format_matrix.py b/.github/workflows/format_matrix.py index 7728420..3973be4 100644 --- a/.github/workflows/format_matrix.py +++ b/.github/workflows/format_matrix.py @@ -23,6 +23,10 @@ def generate_labels_for_vulnerability(vuln: Dict[str, Any], nsolid_stream: str) if vuln.get("source") == "npm": labels.append("NPM") + # Add Main Dependency label if main_dep_name is present + if vuln.get("main_dep_name") and vuln.get("main_dep_name") != "null": + labels.append("Main Dependency") + # Add severity label if available severity = vuln.get("severity") if severity and severity != "null": @@ -70,6 +74,9 @@ def build_vulnerability_matrix(vulnerabilities_data: Dict[str, Any], nsolid_stre matrix_entry["severity"] = vuln["severity"] if "via" in vuln and vuln["via"]: matrix_entry["via"] = vuln["via"] + # Extract title from via array for display purposes + if isinstance(vuln["via"], list) and vuln["via"]: + matrix_entry["title"] = vuln["via"][0] if vuln["via"][0] else "" if "main_dep_name" in vuln and vuln["main_dep_name"] is not None: matrix_entry["main_dep_name"] = vuln["main_dep_name"] if "main_dep_path" in vuln and vuln["main_dep_path"] is not None: diff --git a/dep_checker/npm_audit.py b/dep_checker/npm_audit.py index f2fb42a..ae86216 100644 --- a/dep_checker/npm_audit.py +++ b/dep_checker/npm_audit.py @@ -21,7 +21,7 @@ # You can also use folder names for broader exclusions (e.g., "test" excludes all test folders) EXCLUDE_PATHS = [ # Specific path exclusions - "deps/v8/tools/turbolizer", + "deps/v8/tools", # General folder name exclusions (will match any folder with this name) "test", @@ -179,37 +179,80 @@ def parse_audit_results(self, audit_data: Dict, package_dir: Path, vulnerability severity = vuln_data.get("severity", "unknown") via = vuln_data.get("via", []) fix_available = vuln_data.get("fixAvailable", False) + range_info = vuln_data.get("range", "unknown") - # Handle different via formats + # Handle different via formats - create separate vulnerabilities for each advisory if isinstance(via, list) and via: - # Get the first vulnerability ID from via - first_via = via[0] - if isinstance(first_via, dict): - vuln_id = first_via.get("source", f"npm-{vuln_name}") - url = first_via.get("url", f"https://npmjs.com/advisories/{vuln_id}") - else: - vuln_id = str(first_via) - url = f"https://npmjs.com/advisories/{vuln_id}" + for via_item in via: + if isinstance(via_item, dict): + # Extract individual advisory information + advisory_id = via_item.get("source") + advisory_url = via_item.get("url") + advisory_title = via_item.get("title", "") + advisory_severity = via_item.get("severity", severity) + + # Use advisory ID as vulnerability ID, fallback to package name + if advisory_id: + vuln_id = str(advisory_id) + else: + vuln_id = f"npm-{vuln_name}" + + # Use proper GitHub advisory URL if available + if advisory_url: + url = advisory_url + else: + url = f"https://github.com/advisories?query={vuln_name}" + + # Create vulnerability with advisory-specific information + vulnerability = vulnerability_class( + id=vuln_id, + url=url, + dependency=vuln_name, + version=str(range_info), + source="npm", + severity=advisory_severity, + via=[advisory_title] if advisory_title else [], + fix_available=bool(fix_available), + main_dep_name=main_dep_name, + main_dep_path=main_dep_path + ) + vulnerabilities.append(vulnerability) + else: + # Handle string via items (legacy format) + vuln_id = str(via_item) + url = f"https://github.com/advisories?query={vuln_id}" + + vulnerability = vulnerability_class( + id=vuln_id, + url=url, + dependency=vuln_name, + version=str(range_info), + source="npm", + severity=severity, + via=[str(via_item)], + fix_available=bool(fix_available), + main_dep_name=main_dep_name, + main_dep_path=main_dep_path + ) + vulnerabilities.append(vulnerability) else: + # No via information, create basic vulnerability vuln_id = f"npm-{vuln_name}" - url = f"https://npmjs.com/package/{vuln_name}" - - # Get version range - range_info = vuln_data.get("range", "unknown") - - vulnerability = vulnerability_class( - id=vuln_id, - url=url, - dependency=vuln_name, - version=str(range_info), - source="npm", - severity=severity, - via=[str(v) for v in via] if via else [], - fix_available=bool(fix_available), - main_dep_name=main_dep_name, - main_dep_path=main_dep_path - ) - vulnerabilities.append(vulnerability) + url = f"https://github.com/advisories?query={vuln_name}" + + vulnerability = vulnerability_class( + id=vuln_id, + url=url, + dependency=vuln_name, + version=str(range_info), + source="npm", + severity=severity, + via=[], + fix_available=bool(fix_available), + main_dep_name=main_dep_name, + main_dep_path=main_dep_path + ) + vulnerabilities.append(vulnerability) except Exception as e: logger.error(f"Error parsing vulnerability {vuln_name}: {e}") From b306689c4816a0cbd030b090812b54e1a3db84ae Mon Sep 17 00:00:00 2001 From: Jefferson Date: Thu, 14 Aug 2025 14:27:35 -0500 Subject: [PATCH 2/2] enhancements Signed-off-by: Jefferson --- .github/workflows/format_matrix.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/format_matrix.py b/.github/workflows/format_matrix.py index 3973be4..55709d1 100644 --- a/.github/workflows/format_matrix.py +++ b/.github/workflows/format_matrix.py @@ -23,9 +23,10 @@ def generate_labels_for_vulnerability(vuln: Dict[str, Any], nsolid_stream: str) if vuln.get("source") == "npm": labels.append("NPM") - # Add Main Dependency label if main_dep_name is present - if vuln.get("main_dep_name") and vuln.get("main_dep_name") != "null": - labels.append("Main Dependency") + # Add main dependency name as label if present + main_dep_name = vuln.get("main_dep_name") + if main_dep_name and main_dep_name != "null": + labels.append(main_dep_name) # Add severity label if available severity = vuln.get("severity")