From 96522194081787a41b6efa350fa77ef6f76566fb Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 03:45:37 +0100 Subject: [PATCH 01/12] chore: add pvdb url to config --- src/lib/config/index.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/config/index.ts b/src/lib/config/index.ts index 3f22065ad7..0e00e85e26 100644 --- a/src/lib/config/index.ts +++ b/src/lib/config/index.ts @@ -25,6 +25,7 @@ interface Config { IAC_BUNDLE_PATH?: string; IAC_POLICY_ENGINE_PATH?: string; IAC_OUTPUT_V2?: boolean; + PUBLIC_VULN_DB_URL: string; } // TODO: fix the types! @@ -76,4 +77,6 @@ if (!config.ROOT) { config.ROOT = apiUrl.protocol + '//' + apiUrl.host; } +config.PUBLIC_VULN_DB_URL = "https://security.snyk.io" + export default config; From ad80d74a8af6434c5a77587bc784bf6113abf7dd Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 03:46:36 +0100 Subject: [PATCH 02/12] feat: update general vuln descriptions to point to pvdb --- src/lib/formatters/legacy-format-issue.ts | 2 +- src/lib/formatters/remediation-based-format-issues.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/formatters/legacy-format-issue.ts b/src/lib/formatters/legacy-format-issue.ts index 8916201e31..a276aef906 100644 --- a/src/lib/formatters/legacy-format-issue.ts +++ b/src/lib/formatters/legacy-format-issue.ts @@ -46,7 +46,7 @@ export function formatIssues( }), introducedThrough: ' Introduced through: ' + uniquePackages, description: ' Description: ' + vuln.title, - info: ' Info: ' + chalk.underline(config.ROOT + '/vuln/' + vulnID), + info: ' Info: ' + chalk.underline(config.PUBLIC_VULN_DB_URL + '/vuln/' + vulnID), fromPaths: createTruncatedVulnsPathsText(vuln.list, options.showVulnPaths), extraInfo: vuln.note ? chalk.bold('\n Note: ' + vuln.note) : '', remediationInfo: diff --git a/src/lib/formatters/remediation-based-format-issues.ts b/src/lib/formatters/remediation-based-format-issues.ts index 2fd590a731..34e20926ba 100644 --- a/src/lib/formatters/remediation-based-format-issues.ts +++ b/src/lib/formatters/remediation-based-format-issues.ts @@ -494,7 +494,7 @@ export function formatIssue( )} Severity${originalSeverityStr}]`, ) + reachabilityText + - `[${config.ROOT}/vuln/${id}]` + + `[${config.PUBLIC_VULN_DB_URL}/vuln/${id}]` + name + reachableVia + introducedBy + From f536c9d70d66b9bef277fa9debd2cdbc3caf9c94 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 03:46:47 +0100 Subject: [PATCH 03/12] feat: update spotlight vuln descriptions --- src/lib/spotlight-vuln-notification.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/spotlight-vuln-notification.ts b/src/lib/spotlight-vuln-notification.ts index e9d8c94939..4109f3a7da 100644 --- a/src/lib/spotlight-vuln-notification.ts +++ b/src/lib/spotlight-vuln-notification.ts @@ -41,7 +41,7 @@ export function notificationForSpotlightVulns( ); for (const vulnId of foundSpotlightVulnsIds) { - message += ` - ${vulnId} (See https://snyk.io/vuln/${vulnId})`; + message += ` - ${vulnId} (See https://security.snyk.io/vuln/${vulnId})`; } message += EOL + EOL; From c5fa041606f2dd1a52efa036383b26ec78271d63 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 04:01:56 +0100 Subject: [PATCH 04/12] chore: fix tests --- test/smoke/spec/snyk_test_spec.sh | 6 +++--- test/tap/cli-test/cli-test.docker.spec.ts | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/smoke/spec/snyk_test_spec.sh b/test/smoke/spec/snyk_test_spec.sh index b9927ab90c..a769c46e56 100644 --- a/test/smoke/spec/snyk_test_spec.sh +++ b/test/smoke/spec/snyk_test_spec.sh @@ -58,7 +58,7 @@ Describe "Snyk test command" It "finds vulns in a project in the same folder" When run run_test_in_subfolder The status should equal 1 - The output should include "https://snyk.io/vuln/npm:minimatch:20160620" + The output should include "https://security.snyk.io/vuln/npm:minimatch:20160620" if should_have_deprecation_warnings; then The stderr should not equal "" else @@ -69,7 +69,7 @@ Describe "Snyk test command" It "finds vulns in a project when pointing to a folder" When run snyk test ../fixtures/basic-npm The status should be failure # issues found - The output should include "https://snyk.io/vuln/npm:minimatch:20160620" + The output should include "https://security.snyk.io/vuln/npm:minimatch:20160620" if should_have_deprecation_warnings; then The stderr should not equal "" else @@ -80,7 +80,7 @@ Describe "Snyk test command" It "finds vulns in a project when pointing to a file" When run snyk test --file=../fixtures/basic-npm/package.json The status should be failure # issues found - The output should include "https://snyk.io/vuln/npm:minimatch:20160620" + The output should include "https://security.snyk.io/vuln/npm:minimatch:20160620" if should_have_deprecation_warnings; then The stderr should not equal "" else diff --git a/test/tap/cli-test/cli-test.docker.spec.ts b/test/tap/cli-test/cli-test.docker.spec.ts index 8ffe572410..f15c0eac86 100644 --- a/test/tap/cli-test/cli-test.docker.spec.ts +++ b/test/tap/cli-test/cli-test.docker.spec.ts @@ -632,7 +632,7 @@ export const DockerTests: AcceptanceTests = { ); t.match( msg, - 'Info: http://localhost:12345/vuln/SNYK-UPSTREAM-NODE-72359', + 'Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-72359', ); t.false( msg.includes('vulnerable paths'), From 2404611530caee961f2398eef7973f8fc49c8a17 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 04:05:00 +0100 Subject: [PATCH 05/12] fix: formatting --- src/lib/config/index.ts | 2 +- src/lib/formatters/legacy-format-issue.ts | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lib/config/index.ts b/src/lib/config/index.ts index 0e00e85e26..0d87591961 100644 --- a/src/lib/config/index.ts +++ b/src/lib/config/index.ts @@ -77,6 +77,6 @@ if (!config.ROOT) { config.ROOT = apiUrl.protocol + '//' + apiUrl.host; } -config.PUBLIC_VULN_DB_URL = "https://security.snyk.io" +config.PUBLIC_VULN_DB_URL = 'https://security.snyk.io'; export default config; diff --git a/src/lib/formatters/legacy-format-issue.ts b/src/lib/formatters/legacy-format-issue.ts index a276aef906..9e10f57e8e 100644 --- a/src/lib/formatters/legacy-format-issue.ts +++ b/src/lib/formatters/legacy-format-issue.ts @@ -46,7 +46,9 @@ export function formatIssues( }), introducedThrough: ' Introduced through: ' + uniquePackages, description: ' Description: ' + vuln.title, - info: ' Info: ' + chalk.underline(config.PUBLIC_VULN_DB_URL + '/vuln/' + vulnID), + info: + ' Info: ' + + chalk.underline(config.PUBLIC_VULN_DB_URL + '/vuln/' + vulnID), fromPaths: createTruncatedVulnsPathsText(vuln.list, options.showVulnPaths), extraInfo: vuln.note ? chalk.bold('\n Note: ' + vuln.note) : '', remediationInfo: From 632445bcef8c7b133e4423c173d01c8d259d1a34 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 11:03:09 +0100 Subject: [PATCH 06/12] fix: display-test-results tests --- test/tap/display-test-results.test.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/tap/display-test-results.test.ts b/test/tap/display-test-results.test.ts index d3cbfc9895..86f7851512 100644 --- a/test/tap/display-test-results.test.ts +++ b/test/tap/display-test-results.test.ts @@ -173,7 +173,7 @@ test('`test npm-package-with-severity-override` show original severity upgrade', const { message } = error; t.match( message, - `[Low Severity (originally Medium)][${apiUrl.protocol}//${apiUrl.host}/vuln/npm:node-uuid:20160328]`, + `[Low Severity (originally Medium)][${config.PUBLIC_VULN_DB_URL}/vuln/npm:node-uuid:20160328]`, ); } @@ -200,7 +200,7 @@ test('`test npm-package-with-severity-override` show original severity patches', t.match(message, 'Patch available for node-uuid@1.4.0'); t.match( message, - `[Low Severity (originally Medium)][${apiUrl.protocol}//${apiUrl.host}/vuln/npm:node-uuid:20160328]`, + `[Low Severity (originally Medium)][${config.PUBLIC_VULN_DB_URL}/vuln/npm:node-uuid:20160328]`, ); } @@ -252,7 +252,7 @@ test('`test npm-package-with-severity-override` show original severity unresolve const { message } = error; t.match( message, - `Malicious Package [Low Severity (originally Medium)][${apiUrl.protocol}//${apiUrl.host}/vuln/npm:node-uuid:20160328`, + `Malicious Package [Low Severity (originally Medium)][${config.PUBLIC_VULN_DB_URL}/vuln/npm:node-uuid:20160328`, ); } @@ -278,7 +278,7 @@ test('`test npm-package-with-severity-override` dont show original severity if i const { message } = error; t.match( message, - `[Low Severity][${apiUrl.protocol}//${apiUrl.host}/vuln/npm:node-uuid:20160328]`, + `[Low Severity][${config.PUBLIC_VULN_DB_URL}/vuln/npm:node-uuid:20160328]`, ); } From 16d4a612e1e61c2d6bbef093d3b736f91bb5e644 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 11:19:04 +0100 Subject: [PATCH 07/12] fix: cli-output tests --- .../workspaces/pip-app-transitive-vuln/cli-output.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output.txt b/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output.txt index 424ffb3d05..c961043690 100644 --- a/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output.txt +++ b/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output.txt @@ -3,7 +3,7 @@ Testing pip-app-transitive-vuln... ✗ Medium severity vulnerability found in Jinja2 Description: Sandbox Escape - Info: http://localhost:12345/vuln/SNYK-PYTHON-JINJA2-174126 + Info: https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-174126 Introduced through: flask@0.12.2 From: flask@0.12.2 > Jinja2@2.9.6 Remediation: @@ -11,7 +11,7 @@ Testing pip-app-transitive-vuln... ✗ High severity vulnerability found in flask Description: Improper Input Validation - Info: http://localhost:12345/vuln/SNYK-PYTHON-FLASK-42185 + Info: https://security.snyk.io/vuln/SNYK-PYTHON-FLASK-42185 Introduced through: flask@0.12.2 From: flask@0.12.2 Remediation: @@ -19,7 +19,7 @@ Testing pip-app-transitive-vuln... ✗ High severity vulnerability found in flask Description: Denial of Service (DOS) - Info: http://localhost:12345/vuln/SNYK-PYTHON-FLASK-451637 + Info: https://security.snyk.io/vuln/SNYK-PYTHON-FLASK-451637 Introduced through: flask@0.12.2 From: flask@0.12.2 Remediation: @@ -27,7 +27,7 @@ Testing pip-app-transitive-vuln... ✗ High severity vulnerability found in Werkzeug Description: Insufficient Randomness - Info: http://localhost:12345/vuln/SNYK-PYTHON-WERKZEUG-458931 + Info: https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-458931 Introduced through: flask@0.12.2 From: flask@0.12.2 > Werkzeug@0.12.2 Remediation: From 6e6c909bfb7d2ec925878ad05bfae4b2473f1c64 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 11:25:22 +0100 Subject: [PATCH 08/12] fix: linting --- test/tap/display-test-results.test.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/test/tap/display-test-results.test.ts b/test/tap/display-test-results.test.ts index 86f7851512..98c0993609 100644 --- a/test/tap/display-test-results.test.ts +++ b/test/tap/display-test-results.test.ts @@ -11,7 +11,6 @@ import { getWorkspacePath } from '../jest/util/getWorkspacePath'; const { test } = tap; (tap as any).runOnly = false; // <- for debug. set to true, and replace a test to only(..) -const apiUrl = new URL(config.ROOT); test('`test ruby-app` remediation displayed', async (t) => { chdirWorkspaces(); From 01154c9af0e1604519d962198379ec6c7ebe23c5 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 11:40:50 +0100 Subject: [PATCH 09/12] fix: vuln links using demunge --- src/lib/display-policy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/display-policy.ts b/src/lib/display-policy.ts index aab5fcc048..9b086406e8 100644 --- a/src/lib/display-policy.ts +++ b/src/lib/display-policy.ts @@ -3,7 +3,7 @@ import { demunge } from 'snyk-policy'; import config from './config'; export async function display(policy) { - const p = demunge(policy, config.ROOT); + const p = demunge(policy, config.PUBLIC_VULN_DB_URL); const delimiter = '\n\n------------------------\n'; let res = From 6128f25d15f45626a053707d2ca0dafc0f64b5e7 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 15:54:41 +0100 Subject: [PATCH 10/12] fix: old snyk file tests --- test/fixtures/snyk-config-no-version/expected | 12 ++++++------ test/jest/unit/policy-display.spec.ts | 7 ++----- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/test/fixtures/snyk-config-no-version/expected b/test/fixtures/snyk-config-no-version/expected index a410bf214e..569488955e 100644 --- a/test/fixtures/snyk-config-no-version/expected +++ b/test/fixtures/snyk-config-no-version/expected @@ -2,7 +2,7 @@ Current Snyk policy, read from .snyk file Modified: Fri Nov 20 2015 17:32:48 GMT+0000 (GMT) Created: Fri Nov 20 2015 16:04:35 GMT+0000 (GMT) -#1 Patch vulnerability https://snyk.io/vuln/npm:ms:20151024 in the following paths: +#1 Patch vulnerability https://security.snyk.io/vuln/npm:ms:20151024 in the following paths: socket.io@1.3.7 > debug@2.1.0 > ms@0.6.2 spm-client@0.4.3 > debug@2.1.3 > ms@0.7.0 socket.io@1.3.7 > engine.io@1.5.4 > debug@1.0.3 > ms@0.6.2 @@ -11,16 +11,16 @@ socket.io-client@1.3.7 > engine.io-client@1.5.4 > debug@1.0.4 > ms@0.6.2 spm-client@0.4.3 > father@0.10.6 > debug@1.0.4 > ms@0.6.2 wascally@0.2.7 > whistlepunk@0.2.0 > debug@2.1.1 > ms@0.6.2 -#2 Patch vulnerability https://snyk.io/vuln/npm:semver:20150403 in the following paths: +#2 Patch vulnerability https://security.snyk.io/vuln/npm:semver:20150403 in the following paths: spm-client@0.4.3 > semver@4.2.2 spm-client@0.4.3 > father@0.10.6 > semver@2.3.2 -#3 Patch vulnerability https://snyk.io/vuln/npm:uglify-js:20151024 in the following paths: +#3 Patch vulnerability https://security.snyk.io/vuln/npm:uglify-js:20151024 in the following paths: handlebars@4.0.3 > uglify-js@2.4.24 ------------------------ -#1 Ignore https://snyk.io/vuln/npm:tar:20151103 in the following paths: +#1 Ignore https://security.snyk.io/vuln/npm:tar:20151103 in the following paths: spm-client@0.4.3 > tar@1.0.3 Reason: Something better than a turnip Expires: Sun, 20 Dec 2015 16:37:39 GMT @@ -33,12 +33,12 @@ babel@5.8.29 > chokidar@1.2.0 > fsevents@1.0.2 > node-pre-gyp@0.6.12 > tar-pack@ Reason: Oranges Expires: Sun, 20 Dec 2015 16:37:39 GMT -#2 Ignore https://snyk.io/vuln/npm:uglify-js:20150824 in the following paths: +#2 Ignore https://security.snyk.io/vuln/npm:uglify-js:20150824 in the following paths: tap@0.7.1 > runforcover@0.0.2 > bunker@0.1.2 > burrito@0.2.12 > uglify-js@1.1.1 Reason: Fruits Expires: Sun, 20 Dec 2015 16:37:39 GMT -#3 Ignore https://snyk.io/vuln/npm:uglify-js:20151024 in the following paths: +#3 Ignore https://security.snyk.io/vuln/npm:uglify-js:20151024 in the following paths: tap@0.7.1 > runforcover@0.0.2 > bunker@0.1.2 > burrito@0.2.12 > uglify-js@1.1.1 Reason: Stuff Expires: Sun, 20 Dec 2015 16:37:39 GMT diff --git a/test/jest/unit/policy-display.spec.ts b/test/jest/unit/policy-display.spec.ts index 27fbaf4fdd..155114d363 100644 --- a/test/jest/unit/policy-display.spec.ts +++ b/test/jest/unit/policy-display.spec.ts @@ -3,9 +3,6 @@ import * as fs from 'fs'; import { display } from '../../../src/lib/display-policy'; import stripAnsi from 'strip-ansi'; import { getFixturePath } from '../util/getFixturePath'; -import config from '../../../src/lib/config'; - -const { hostname } = new URL(config.ROOT); it('test sensibly bails if gets an old .snyk format', async () => { const filename = getFixturePath('snyk-config-no-version'); @@ -21,12 +18,12 @@ it('test sensibly bails if gets an old .snyk format', async () => { .split('\n') .slice(3) .join('\n'); + const expected = expectedFileString .trim() - // replace hostname in policy if using env var SNYK_API - .replace(/snyk\.io/g, hostname) .split('\n') .slice(3) .join('\n'); + expect(result).toEqual(expected); }); From 3b5fcf7507b4c0d1d0bf9f6653417d72824151d0 Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Mon, 11 Jul 2022 16:49:12 +0100 Subject: [PATCH 11/12] fix: pip test --- .../cli-output-actionable-remediation.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output-actionable-remediation.txt b/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output-actionable-remediation.txt index 444703f414..14cf354b7d 100644 --- a/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output-actionable-remediation.txt +++ b/test/acceptance/workspaces/pip-app-transitive-vuln/cli-output-actionable-remediation.txt @@ -7,17 +7,17 @@ Tested 6 dependencies for known vulnerabilities, found 4 vulnerabilities, 4 vuln Issues to fix by upgrading dependencies: Upgrade flask to 1.0 to fix - ✗ Improper Input Validation [High Severity][http://localhost:12345/vuln/SNYK-PYTHON-FLASK-42185] in flask@0.12.2 + ✗ Improper Input Validation [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-FLASK-42185] in flask@0.12.2 introduced by flask@0.12.2 - ✗ Denial of Service (DOS) [High Severity][http://localhost:12345/vuln/SNYK-PYTHON-FLASK-451637] in flask@0.12.2 + ✗ Denial of Service (DOS) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-FLASK-451637] in flask@0.12.2 introduced by flask@0.12.2 Pin Jinja2 to 2.10.1 to fix - ✗ Sandbox Escape [Medium Severity][http://localhost:12345/vuln/SNYK-PYTHON-JINJA2-174126] in Jinja2@2.9.6 + ✗ Sandbox Escape [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-JINJA2-174126] in Jinja2@2.9.6 introduced by flask@0.12.2 > Jinja2@2.9.6 Pin Werkzeug to 0.15.3 to fix - ✗ Insufficient Randomness [High Severity][http://localhost:12345/vuln/SNYK-PYTHON-WERKZEUG-458931] in Werkzeug@0.12.2 + ✗ Insufficient Randomness [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-458931] in Werkzeug@0.12.2 introduced by flask@0.12.2 > Werkzeug@0.12.2 From aa3688f0cec72d4038163bf3f4f673f4230d01ff Mon Sep 17 00:00:00 2001 From: Srdjan Miletic Date: Tue, 12 Jul 2022 13:58:44 +0100 Subject: [PATCH 12/12] refactor: use config values instead of hardcoding in spotlight vuln --- src/lib/spotlight-vuln-notification.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib/spotlight-vuln-notification.ts b/src/lib/spotlight-vuln-notification.ts index 4109f3a7da..37dd1cfca7 100644 --- a/src/lib/spotlight-vuln-notification.ts +++ b/src/lib/spotlight-vuln-notification.ts @@ -1,6 +1,7 @@ import * as theme from './theme'; import * as createDebug from 'debug'; import { EOL } from 'os'; +import config from './config'; const debug = createDebug('snyk-spotlight-vuln-notification'); @@ -41,7 +42,7 @@ export function notificationForSpotlightVulns( ); for (const vulnId of foundSpotlightVulnsIds) { - message += ` - ${vulnId} (See https://security.snyk.io/vuln/${vulnId})`; + message += ` - ${vulnId} (See ${config.PUBLIC_VULN_DB_URL}/vuln/${vulnId})`; } message += EOL + EOL; @@ -50,9 +51,9 @@ export function notificationForSpotlightVulns( `We highly recommend fixing this vulnerability. If it cannot be fixed by upgrading, see mitigation information here:`, ) + EOL + - ' - https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720' + + ` - ${config.PUBLIC_VULN_DB_URL}/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720` + EOL + - ' - https://snyk.io/blog/log4shell-remediation-cheat-sheet/' + + ` - https://snyk.io/blog/log4shell-remediation-cheat-sheet/` + EOL; } }