fix(arborist): dont skip adding advisories to audit based on name/range

lukekarrys · Nathan Fritz · commit aa4a4da336a6 · 2022-04-13T14:34:34.000-07:00
When generating an audit report, a cache of seen advisories is kept to avoid doing any repeat fanout work on its nodes. Previously this cache was also preventing audits from being added to the report. This has been fixed so the cache is only used to prevent extra work, but all valid advisories are added to the output. Fixes #4681
diff --git a/workspaces/arborist/lib/audit-report.js b/workspaces/arborist/lib/audit-report.js
@@ -134,61 +134,58 @@ class AuditReport extends Map {
     const seen = new Set()
     for (const advisory of advisories) {
       const { name, range } = advisory
-
-      // don't flag the exact same name/range more than once
-      // adding multiple advisories with the same range is fine, but no
-      // need to search for nodes we already would have added.
       const k = `${name}@${range}`
-      if (seen.has(k)) {
-        continue
-      }
-
-      seen.add(k)
 
       const vuln = this.get(name) || new Vuln({ name, advisory })
       if (this.has(name)) {
         vuln.addAdvisory(advisory)
       }
       super.set(name, vuln)
 
-      const p = []
-      for (const node of this.tree.inventory.query('packageName', name)) {
-        if (!shouldAudit(node, this[_omit], this.filterSet)) {
-          continue
-        }
+      // don't flag the exact same name/range more than once
+      // adding multiple advisories with the same range is fine, but no
+      // need to search for nodes we already would have added.
+      if (!seen.has(k)) {
+        const p = []
+        for (const node of this.tree.inventory.query('packageName', name)) {
+          if (!shouldAudit(node, this[_omit], this.filterSet)) {
+            continue
+          }
 
-        // if not vulnerable by this advisory, keep searching
-        if (!advisory.testVersion(node.version)) {
-          continue
-        }
+          // if not vulnerable by this advisory, keep searching
+          if (!advisory.testVersion(node.version)) {
+            continue
+          }
 
-        // we will have loaded the source already if this is a metavuln
-        if (advisory.type === 'metavuln') {
-          vuln.addVia(this.get(advisory.dependency))
-        }
+          // we will have loaded the source already if this is a metavuln
+          if (advisory.type === 'metavuln') {
+            vuln.addVia(this.get(advisory.dependency))
+          }
 
-        // already marked this one, no need to do it again
-        if (vuln.nodes.has(node)) {
-          continue
-        }
+          // already marked this one, no need to do it again
+          if (vuln.nodes.has(node)) {
+            continue
+          }
 
-        // haven't marked this one yet.  get its dependents.
-        vuln.nodes.add(node)
-        for (const { from: dep, spec } of node.edgesIn) {
-          if (dep.isTop && !vuln.topNodes.has(dep)) {
-            this[_checkTopNode](dep, vuln, spec)
-          } else {
+          // haven't marked this one yet.  get its dependents.
+          vuln.nodes.add(node)
+          for (const { from: dep, spec } of node.edgesIn) {
+            if (dep.isTop && !vuln.topNodes.has(dep)) {
+              this[_checkTopNode](dep, vuln, spec)
+            } else {
             // calculate a metavuln, if necessary
-            const calc = this.calculator.calculate(dep.packageName, advisory)
-            p.push(calc.then(meta => {
-              if (meta.testVersion(dep.version, spec)) {
-                advisories.add(meta)
-              }
-            }))
+              const calc = this.calculator.calculate(dep.packageName, advisory)
+              p.push(calc.then(meta => {
+                if (meta.testVersion(dep.version, spec)) {
+                  advisories.add(meta)
+                }
+              }))
+            }
           }
         }
+        await Promise.all(p)
+        seen.add(k)
       }
-      await Promise.all(p)
 
       // make sure we actually got something.  if not, remove it
       // this can happen if you are loading from a lockfile created by
diff --git a/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs b/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs
@@ -123,6 +123,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = `
           "severity": "high",
           "range": "<3.0.8 || >=4.0.0 <4.5.3"
         },
+        {
+          "source": 1325,
+          "name": "handlebars",
+          "dependency": "handlebars",
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "severity": "high",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3"
+        },
         {
           "source": 755,
           "name": "handlebars",
@@ -448,6 +457,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = `
           "url": "https://npmjs.com/advisories/1478",
           "severity": "high",
           "range": ">=4.1.0"
+        },
+        {
+          "source": 1479,
+          "name": "subtext",
+          "dependency": "subtext",
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1479",
+          "severity": "high",
+          "range": ">=0.0.0"
         }
       ],
       "effects": [],
@@ -558,6 +576,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp > json version 1
           "severity": "high",
           "range": "<3.0.8 || >=4.0.0 <4.5.3"
         },
+        {
+          "source": 1325,
+          "name": "handlebars",
+          "dependency": "handlebars",
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "severity": "high",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3"
+        },
         {
           "source": 755,
           "name": "handlebars",
@@ -918,6 +945,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with before: opt
           "severity": "high",
           "range": "<3.0.8 || >=4.0.0 <4.5.3"
         },
+        {
+          "source": 1325,
+          "name": "handlebars",
+          "dependency": "handlebars",
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "severity": "high",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3"
+        },
         {
           "source": 755,
           "name": "handlebars",
@@ -1278,6 +1314,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with newer endpo
           "severity": "high",
           "range": "<3.0.8 || >=4.0.0 <4.5.3"
         },
+        {
+          "source": 1325,
+          "name": "handlebars",
+          "dependency": "handlebars",
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "severity": "high",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3"
+        },
         {
           "source": 755,
           "name": "handlebars",
@@ -2144,6 +2189,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
@@ -2623,6 +2682,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
@@ -2791,6 +2864,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
@@ -3270,6 +3357,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
@@ -3458,6 +3559,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
@@ -3927,6 +4042,20 @@ Object {
           "versions": undefined,
           "vulnerableVersions": undefined,
         },
+        Object {
+          "cvss": undefined,
+          "cwe": undefined,
+          "dependency": "handlebars",
+          "id": undefined,
+          "name": "handlebars",
+          "range": "<3.0.8 || >=4.0.0 <4.5.3",
+          "severity": "high",
+          "source": 1325,
+          "title": "Prototype Pollution",
+          "url": "https://npmjs.com/advisories/1325",
+          "versions": undefined,
+          "vulnerableVersions": undefined,
+        },
         Object {
           "cvss": undefined,
           "cwe": undefined,
