diff --git a/dist/index.js b/dist/index.js index 3bb352ef..0c453a20 100644 --- a/dist/index.js +++ b/dist/index.js @@ -12,7 +12,7 @@ const fs = __webpack_require__(747); const stream = __webpack_require__(413); const grypeBinary = "grype"; -const grypeVersion = "0.34.1"; +const grypeVersion = "0.34.4"; // Find all 'content-*.json' files in the directory. dirname should include the full path function findContent(searchDir) { diff --git a/index.js b/index.js index 2202b165..ebc96760 100644 --- a/index.js +++ b/index.js @@ -5,7 +5,7 @@ const fs = require("fs"); const stream = require("stream"); const grypeBinary = "grype"; -const grypeVersion = "0.34.1"; +const grypeVersion = "0.34.4"; // Find all 'content-*.json' files in the directory. dirname should include the full path function findContent(searchDir) { diff --git a/tests/__snapshots__/sarif_output.test.js.snap b/tests/__snapshots__/sarif_output.test.js.snap index ef161fca..82304472 100644 --- a/tests/__snapshots__/sarif_output.test.js.snap +++ b/tests/__snapshots__/sarif_output.test.js.snap @@ -1153,7 +1153,7 @@ Link: [CVE-2020-25708](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25 }, }, ], - "version": "0.34.1", + "version": "", }, }, }, @@ -1582,7 +1582,7 @@ Link: [GHSA-pq64-v7f5-gqh8](https://github.com/advisories/GHSA-pq64-v7f5-gqh8)", }, }, ], - "version": "0.34.1", + "version": "", }, }, }, @@ -1602,7 +1602,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1614,7 +1614,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "CVE-2021-32803-tar", }, @@ -1623,7 +1623,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1635,7 +1635,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "CVE-2021-37701-tar", }, @@ -1644,7 +1644,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1656,7 +1656,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "CVE-2021-37712-tar", }, @@ -1665,7 +1665,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1677,7 +1677,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "CVE-2021-37713-tar", }, @@ -1686,7 +1686,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1698,7 +1698,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-3jfq-g458-7qm9-tar", }, @@ -1707,7 +1707,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1719,7 +1719,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-5955-9wpr-37jh-tar", }, @@ -1728,7 +1728,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1740,7 +1740,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-9r2w-394v-53qc-tar", }, @@ -1749,7 +1749,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1761,7 +1761,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-qq89-hq3f-393p-tar", }, @@ -1770,7 +1770,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/npm-project/package-lock.json", + "uri": "package-lock.json", }, "region": Object { "endColumn": 1, @@ -1782,7 +1782,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/npm-project/package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", + "text": "The path package-lock.json reports tar at version 6.1.0 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-r628-mhmh-qjhw-tar", }, @@ -1800,7 +1800,7 @@ Object { "markdown": "**Vulnerability CVE-2021-32803** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803) | +| high | tar | 6.1.0 | | npm | package-lock.json | nvd | [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803) | ", "text": "Vulnerability CVE-2021-32803 Severity: high @@ -1808,7 +1808,7 @@ Package: tar Version: 6.1.0 Fix Version: Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: nvd Link: [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803)", }, @@ -1830,7 +1830,7 @@ Link: [CVE-2021-32803](https://nvd.nist.gov/vuln/detail/CVE-2021-32803)", "markdown": "**Vulnerability CVE-2021-37701** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701) | +| high | tar | 6.1.0 | | npm | package-lock.json | nvd | [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701) | ", "text": "Vulnerability CVE-2021-37701 Severity: high @@ -1838,7 +1838,7 @@ Package: tar Version: 6.1.0 Fix Version: Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: nvd Link: [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701)", }, @@ -1860,7 +1860,7 @@ Link: [CVE-2021-37701](https://nvd.nist.gov/vuln/detail/CVE-2021-37701)", "markdown": "**Vulnerability CVE-2021-37712** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712) | +| high | tar | 6.1.0 | | npm | package-lock.json | nvd | [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712) | ", "text": "Vulnerability CVE-2021-37712 Severity: high @@ -1868,7 +1868,7 @@ Package: tar Version: 6.1.0 Fix Version: Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: nvd Link: [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712)", }, @@ -1890,7 +1890,7 @@ Link: [CVE-2021-37712](https://nvd.nist.gov/vuln/detail/CVE-2021-37712)", "markdown": "**Vulnerability CVE-2021-37713** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | | npm | tests/fixtures/npm-project/package-lock.json | nvd | [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713) | +| high | tar | 6.1.0 | | npm | package-lock.json | nvd | [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713) | ", "text": "Vulnerability CVE-2021-37713 Severity: high @@ -1898,7 +1898,7 @@ Package: tar Version: 6.1.0 Fix Version: Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: nvd Link: [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713)", }, @@ -1920,7 +1920,7 @@ Link: [CVE-2021-37713](https://nvd.nist.gov/vuln/detail/CVE-2021-37713)", "markdown": "**Vulnerability GHSA-3jfq-g458-7qm9** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.1 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9) | +| high | tar | 6.1.0 | 6.1.1 | npm | package-lock.json | github:npm | [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9) | ", "text": "Vulnerability GHSA-3jfq-g458-7qm9 Severity: high @@ -1928,7 +1928,7 @@ Package: tar Version: 6.1.0 Fix Version: 6.1.1 Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: github:npm Link: [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)", }, @@ -1950,7 +1950,7 @@ Link: [GHSA-3jfq-g458-7qm9](https://github.com/advisories/GHSA-3jfq-g458-7qm9)", "markdown": "**Vulnerability GHSA-5955-9wpr-37jh** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh) | +| high | tar | 6.1.0 | 6.1.9 | npm | package-lock.json | github:npm | [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh) | ", "text": "Vulnerability GHSA-5955-9wpr-37jh Severity: high @@ -1958,7 +1958,7 @@ Package: tar Version: 6.1.0 Fix Version: 6.1.9 Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: github:npm Link: [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)", }, @@ -1980,7 +1980,7 @@ Link: [GHSA-5955-9wpr-37jh](https://github.com/advisories/GHSA-5955-9wpr-37jh)", "markdown": "**Vulnerability GHSA-9r2w-394v-53qc** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.7 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc) | +| high | tar | 6.1.0 | 6.1.7 | npm | package-lock.json | github:npm | [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc) | ", "text": "Vulnerability GHSA-9r2w-394v-53qc Severity: high @@ -1988,7 +1988,7 @@ Package: tar Version: 6.1.0 Fix Version: 6.1.7 Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: github:npm Link: [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)", }, @@ -2010,7 +2010,7 @@ Link: [GHSA-9r2w-394v-53qc](https://github.com/advisories/GHSA-9r2w-394v-53qc)", "markdown": "**Vulnerability GHSA-qq89-hq3f-393p** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.9 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p) | +| high | tar | 6.1.0 | 6.1.9 | npm | package-lock.json | github:npm | [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p) | ", "text": "Vulnerability GHSA-qq89-hq3f-393p Severity: high @@ -2018,7 +2018,7 @@ Package: tar Version: 6.1.0 Fix Version: 6.1.9 Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: github:npm Link: [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)", }, @@ -2040,7 +2040,7 @@ Link: [GHSA-qq89-hq3f-393p](https://github.com/advisories/GHSA-qq89-hq3f-393p)", "markdown": "**Vulnerability GHSA-r628-mhmh-qjhw** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | tar | 6.1.0 | 6.1.2 | npm | tests/fixtures/npm-project/package-lock.json | github:npm | [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw) | +| high | tar | 6.1.0 | 6.1.2 | npm | package-lock.json | github:npm | [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw) | ", "text": "Vulnerability GHSA-r628-mhmh-qjhw Severity: high @@ -2048,7 +2048,7 @@ Package: tar Version: 6.1.0 Fix Version: 6.1.2 Type: npm -Location: tests/fixtures/npm-project/package-lock.json +Location: package-lock.json Data Namespace: github:npm Link: [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)", }, @@ -2063,7 +2063,7 @@ Link: [GHSA-r628-mhmh-qjhw](https://github.com/advisories/GHSA-r628-mhmh-qjhw)", }, }, ], - "version": "0.34.1", + "version": "", }, }, }, @@ -2083,7 +2083,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/yarn-project/yarn.lock", + "uri": "yarn.lock", }, "region": Object { "endColumn": 1, @@ -2095,7 +2095,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/yarn-project/yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", + "text": "The path yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", }, "ruleId": "CVE-2020-7753-trim", }, @@ -2104,7 +2104,7 @@ Object { Object { "physicalLocation": Object { "artifactLocation": Object { - "uri": "tests/fixtures/yarn-project/yarn.lock", + "uri": "yarn.lock", }, "region": Object { "endColumn": 1, @@ -2116,7 +2116,7 @@ Object { }, ], "message": Object { - "text": "The path tests/fixtures/yarn-project/yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", + "text": "The path yarn.lock reports trim at version 0.0.2 which would result in a vulnerable (npm) package installed", }, "ruleId": "GHSA-w5p7-h5w8-2hfq-trim", }, @@ -2134,7 +2134,7 @@ Object { "markdown": "**Vulnerability CVE-2020-7753** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | trim | 0.0.2 | | npm | tests/fixtures/yarn-project/yarn.lock | nvd | [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753) | +| high | trim | 0.0.2 | | npm | yarn.lock | nvd | [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753) | ", "text": "Vulnerability CVE-2020-7753 Severity: high @@ -2142,7 +2142,7 @@ Package: trim Version: 0.0.2 Fix Version: Type: npm -Location: tests/fixtures/yarn-project/yarn.lock +Location: yarn.lock Data Namespace: nvd Link: [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)", }, @@ -2164,7 +2164,7 @@ Link: [CVE-2020-7753](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)", "markdown": "**Vulnerability GHSA-w5p7-h5w8-2hfq** | Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link | | --- | --- | --- | --- | --- | --- | --- | --- | -| high | trim | 0.0.2 | 0.0.3 | npm | tests/fixtures/yarn-project/yarn.lock | github:npm | [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq) | +| high | trim | 0.0.2 | 0.0.3 | npm | yarn.lock | github:npm | [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq) | ", "text": "Vulnerability GHSA-w5p7-h5w8-2hfq Severity: high @@ -2172,7 +2172,7 @@ Package: trim Version: 0.0.2 Fix Version: 0.0.3 Type: npm -Location: tests/fixtures/yarn-project/yarn.lock +Location: yarn.lock Data Namespace: github:npm Link: [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)", }, @@ -2187,7 +2187,7 @@ Link: [GHSA-w5p7-h5w8-2hfq](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)", }, }, ], - "version": "0.34.1", + "version": "", }, }, }, diff --git a/tests/sarif_output.test.js b/tests/sarif_output.test.js index b786642c..80d65869 100644 --- a/tests/sarif_output.test.js +++ b/tests/sarif_output.test.js @@ -27,6 +27,10 @@ const testSource = async (source, vulnerabilities) => { const sarif = JSON.parse(sarifFile); expect(sarif).toBeValidSarifLog(); + if (sarif.runs && sarif.runs.length > 0) { + sarif.runs[0].tool.driver.version = ""; + } + for (let run of sarif.runs || []) { for (let result of run.results || []) { for (let loc of result.locations || []) {