socket-cli/src/commands/fix/handle-fix.mts at 5494efbcb3caf35d41f83787a542321dbdf62421 · SocketDev/socket-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
import { joinAnd } from '@socketsecurity/registry/lib/arrays'
import { debugDir, debugFn } from '@socketsecurity/registry/lib/debug'
import { logger } from '@socketsecurity/registry/lib/logger'

import { coanaFix } from './coana-fix.mts'
import { outputFixResult } from './output-fix-result.mts'
import { convertCveToGhsa } from '../../utils/cve-to-ghsa.mts'
import { convertPurlToGhsas } from '../../utils/purl-to-ghsa.mts'

import type { FixConfig } from './types.mts'
import type { OutputKind } from '../../types.mts'
import type { Remap } from '@socketsecurity/registry/lib/objects'

const GHSA_FORMAT_REGEXP = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/
const CVE_FORMAT_REGEXP = /^CVE-\d{4}-\d{4,}$/

export type HandleFixConfig = Remap<
  FixConfig & {
    applyFixes: boolean
    coanaVersion?: string | undefined
    ghsas: string[]
    orgSlug: string
    outputKind: OutputKind
    unknownFlags: string[]
  }
>

/**
 * Converts mixed CVE/GHSA/PURL IDs to GHSA IDs only.
 * Filters out invalid IDs and logs conversion results.
 */
export async function convertIdsToGhsas(ids: string[]): Promise<string[]> {
  debugFn('notice', `Converting ${ids.length} IDs to GHSA format`)
  debugDir('inspect', { ids })

  const validGhsas: string[] = []
  const errors: string[] = []

  for (const id of ids) {
    const trimmedId = id.trim()

    if (trimmedId.startsWith('GHSA-')) {
      // Already a GHSA ID, validate format
      if (GHSA_FORMAT_REGEXP.test(trimmedId)) {
        validGhsas.push(trimmedId)
      } else {
        errors.push(`Invalid GHSA format: ${trimmedId}`)
      }
    } else if (trimmedId.startsWith('CVE-')) {
      // Convert CVE to GHSA
      if (!CVE_FORMAT_REGEXP.test(trimmedId)) {
        errors.push(`Invalid CVE format: ${trimmedId}`)
        continue
      }

      // eslint-disable-next-line no-await-in-loop
      const conversionResult = await convertCveToGhsa(trimmedId)
      if (conversionResult.ok) {
        validGhsas.push(conversionResult.data)
        logger.info(`Converted ${trimmedId} to ${conversionResult.data}`)
      } else {
        errors.push(`${trimmedId}: ${conversionResult.message}`)
      }
    } else if (trimmedId.startsWith('pkg:')) {
      // Convert PURL to GHSAs
      // eslint-disable-next-line no-await-in-loop
      const conversionResult = await convertPurlToGhsas(trimmedId)
      if (conversionResult.ok && conversionResult.data.length) {
        validGhsas.push(...conversionResult.data)
        logger.info(
          `Converted ${trimmedId} to ${conversionResult.data.length} GHSA(s): ${joinAnd(conversionResult.data)}`,
        )
      } else {
        errors.push(
          `${trimmedId}: ${conversionResult.message || 'No GHSAs found'}`,
        )
      }
    } else {
      // Neither CVE, GHSA, nor PURL, skip
      errors.push(
        `Unsupported ID format (expected CVE, GHSA, or PURL): ${trimmedId}`,
      )
    }
  }

  if (errors.length) {
    logger.warn(
      `Skipped ${errors.length} invalid IDs:\n${errors.map(e => `  - ${e}`).join('\n')}`,
    )
    debugDir('inspect', { errors })
  }

  debugFn('notice', `Converted to ${validGhsas.length} valid GHSA IDs`)
  debugDir('inspect', { validGhsas })

  return validGhsas
}

export async function handleFix({
  all,
  applyFixes,
  autopilot,
  coanaVersion,
  cwd,
  disableMajorUpdates,
  ecosystems,
  exclude,
  ghsas,
  include,
  minSatisfying,
  minimumReleaseAge,
  orgSlug,
  outputFile,
  outputKind,
  prCheck,
  prLimit,
  rangeStyle,
  showAffectedDirectDependencies,
  spinner,
  unknownFlags,
}: HandleFixConfig) {
  debugFn('notice', `Starting fix command for ${orgSlug}`)
  debugDir('inspect', {
    all,
    applyFixes,
    autopilot,
    coanaVersion,
    cwd,
    disableMajorUpdates,
    ecosystems,
    exclude,
    ghsas,
    include,
    minSatisfying,
    minimumReleaseAge,
    outputFile,
    outputKind,
    prCheck,
    prLimit,
    rangeStyle,
    showAffectedDirectDependencies,
    unknownFlags,
  })

  await outputFixResult(
    await coanaFix({
      all,
      applyFixes,
      autopilot,
      coanaVersion,
      cwd,
      disableMajorUpdates,
      ecosystems,
      exclude,
      // Convert mixed CVE/GHSA/PURL inputs to GHSA IDs only.
      ghsas: await convertIdsToGhsas(ghsas),
      include,
      minimumReleaseAge,
      minSatisfying,
      orgSlug,
      outputFile,
      prCheck,
      prLimit,
      rangeStyle,
      showAffectedDirectDependencies,
      spinner,
      unknownFlags,
    }),
    outputKind,
  )
}