Fixing problems with using reqireignore.json with array identifiers l…

…ike CVE
pentestify · Aug 29, 2016 · 0722aeb · 0722aeb
1 parent d749b6a
commit 0722aeb
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 11 deletions.
diff --git a/example.retireignore.json b/example.retireignore.json
@@ -1,14 +1,17 @@
 [
 	{ 
 		"component": "jquery",
-		"identifiers" : { "issue": "2432"}
+		"identifiers" : { "issue": "2432"},
+		"justification" : "We dont call external resources with jQuery"
 	},
 	{ 
 		"component": "jquery",
-		"version" : "2.1.4"
+		"version" : "2.1.4",
+		"justification" : "We dont call external resources with jQuery"
 	},
 	{
-		"path" : "node_modules"
+		"path" : "node_modules",
+		"justification" : "The node modules are only used for building - client side dependencies are using bower"
 	}
 
 ]
diff --git a/node/lib/retire.js b/node/lib/retire.js
@@ -5,7 +5,7 @@
 
 
 var exports = exports || {};
-exports.version = '1.2.2';
+exports.version = '1.2.3';
 
 function isDefined(o) {
 	return typeof o !== 'undefined';

diff --git a/node/lib/scanner.js b/node/lib/scanner.js
@@ -75,12 +75,7 @@ function removeIgnored(results, ignores) {
       if (r.component !== i.component) return;
       if (i.version && r.version !== i.version) return;
       if (i.identifiers) {
-        r.vulnerabilities = r.vulnerabilities.filter(v => {
-          var matches = _.map(i.identifiers, (value, key) => {
-            return v.hasOwnProperty("identifiers") && v.identifiers.hasOwnProperty(key) && v.identifiers[key] === value;
-          });
-          return !matches.every(x => x === true);
-        });
+        removeIgnoredVulnerabilitiesByIdentifier(i.identifiers, r);
         return;
       }
       r.vulnerabilities = [];
@@ -89,6 +84,19 @@ function removeIgnored(results, ignores) {
   });
 }
 
+function removeIgnoredVulnerabilitiesByIdentifier(identifiers, result) {
+  result.vulnerabilities = result.vulnerabilities.filter(v => {
+    if (!v.hasOwnProperty("identifiers")) return true;
+    return !_.every(identifiers, (value, key) => hasIdentifier(v, key, value));
+  });
+}
+function hasIdentifier(vulnerability, key, value) {
+  if (!vulnerability.identifiers.hasOwnProperty(key)) return false;
+  var identifier = vulnerability.identifiers[key];
+  return Array.isArray(identifier) ? identifier.some(x => x === value) : identifier === value;
+}
+
+
 function scanJsFile(file, repo, options) {
   if (options.ignore && shouldIgnorePath([file], options.ignore)) {
     return;

diff --git a/node/package.json b/node/package.json
@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <[email protected]>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "repository": {
     "type": "git",
     "url": "https://github.com/RetireJS/retire.js.git"