util::resources::check_vulnerability (public)

 util::resources::check_vulnerability -service service -library library \
    -version version

Defined in packages/acs-tcl/tcl/utilities-procs.tcl

Returns a dict containing vulnerability info with the keys "hasVulnerability", "libraryURL", "versionURL" and "cveURLs"

Switches:
-service (required)
name of the vulnerability checking service (currently only synk)
-library (required)
name of the library as named by the vulnerability service
-version (required)
version of the library to be checked

Partial Call Graph (max 5 caller/called nodes):
%3 packages/acs-admin/www/posture-overview.tcl packages/acs-admin/ www/posture-overview.tcl util::resources::check_vulnerability util::resources::check_vulnerability packages/acs-admin/www/posture-overview.tcl->util::resources::check_vulnerability packages/acs-tcl/lib/check-installed.tcl packages/acs-tcl/ lib/check-installed.tcl packages/acs-tcl/lib/check-installed.tcl->util::resources::check_vulnerability dom dom util::resources::check_vulnerability->dom util::resources::http_get_with_default util::resources::http_get_with_default (private) util::resources::check_vulnerability->util::resources::http_get_with_default

Testcases:
No testcase defined.
Source code:
        set hasVulnerability ?
        ns_log notice "=== check_vulnerability for $library @$version from $service"
        set CVE {}
        switch $service {
            snyk {
                set vulnerabilityCheckURL https://security.snyk.io/package/npm/$library
                set vulnerabilityCheckVersionURL https://security.snyk.io/package/npm/$library/$version
                set vulnerabilityAdvisorURL https://snyk.io/advisor/npm-package/$library
                set page [::util::resources::http_get_with_default  -url $vulnerabilityCheckVersionURL  -key snyk-$library/$version]
                if {$page eq ""} {
                    unset vulnerabilityCheckVersionURL
                    ns_log notice "check_vulnerability: request failed $vulnerabilityCheckVersionURL"
                } else {
                    set hasVulnerability [string match "*Known vulnerabilities in the*package*" $page]
                    #ns_log notice RESULT=$page
                }
            }
            postgresql.org {
                set vulnerabilityCheckURL https://www.postgresql.org/support/security
                set hasVulnerability 0
                # clientversion 170004 serverversion 170004
                set major [expr {$version/10000}]
                set minor [expr {$version % 10000}]
                set versionNr $major.$minor
                ns_log notice "PG VERSION $versionNr"
                set page [::util::resources::http_get_with_default  -url $vulnerabilityCheckURL/$major  -key postgresql-$library/$major]
                #ns_log notice "PAGE=$page"
                dom parse -html -- $page doc
                $doc documentElement root
                foreach tr [$root selectNodes //tbody/tr] {
                    #ns_log notice "TR= [$tr asHTML]"
                    set freshVulnerability 0
                    set columns [$tr selectNodes td]
                    if {[llength $columns] != 5} {
                        continue
                    }
                    lassign $columns reference affected fixed component description
                    if {![string match *$library* [$component asText]]} {
                        continue
                    }
                    set fixedin .
                    foreach v [regsub -all , [$fixed asText] ""] {
                        regexp {^(\d+)[.](\d+)} $v . majorFix minorFix
                        set numFixed [expr {$majorFix*10000+$minorFix}]
                        if {$majorFix == $major && $version >= $numFixed} {
                            set freshVulnerability 0
                            #set hasVulnerability 0
                            continue
                        }
                        if {$version < $numFixed} {
                            if {$majorFix < $major} {
                                break
                            }
                            set hasVulnerability 1
                            set freshVulnerability 1
                            set fixedin $v
                            #break
                        }
                    }
                    if {$freshVulnerability} {
                        #ns_log notice "CVE [$reference asHTML]"
                        #ns_log notice "... fixed <[$fixed asText]> -> has vulnerability $hasVulnerability"
                        #ns_log notice "... component <[$component asText]>"
                        #ns_log notice "... CHECK [$reference asHTML]"
                        foreach url [$reference selectNodes .//a/@href] {
                            #ns_log notice "... check URL $url"
                            if {[regexp {(CVE[-]\d+[-]\d+)/} $url . cve]} {
                                ns_log notice "... URL $url"
                                set desc [$description asText]
                                regsub -all {more details$} $desc "" desc
                                lappend CVE [list  url https://www.postgresql.org/[lindex $url end]  fixedin $fixedin  name $cve  description $desc]
                            }
                        }
                    }
                }
                set vulnerabilityCheckVersionURL $vulnerabilityCheckURL/$major
                set vulnerabilityAdvisorURL ""
            }
            default {
                error "check_vulnerability: unknown service '$service'"
            }
        }
        ns_log notice "=== check_vulnerability for $library @$version -> $hasVulnerability"
        return [list hasVulnerability $hasVulnerability  libraryURL $vulnerabilityCheckURL  versionURL $vulnerabilityCheckVersionURL  advisorURL $vulnerabilityAdvisorURL  CVE $CVE]
XQL Not present:
PostgreSQL, Oracle
Generic XQL file:
packages/acs-tcl/tcl/utilities-procs.xql

[ hide source ] | [ make this the default ]
Show another procedure: