Atlassian Vulnerabilitiey API Interpretation code

atlassian-vulnerabilitiey-api-interpretation.ts

import { parse, valid } from "semver";

type Status = "AFFECTED" | "FIXED"

function isVulnerable(selectedVersion: string, versions: [string, Status][]) {
    return isFilterSelected(selectedVersion, versions) || checkVersionAffected(selectedVersion, versions);
}

function isFilterSelected(selectedVersion: string, versions: [string, Status][]) {
    return versions
        .filter(v => v[1] === "AFFECTED")
        // Get a list of the versions from the CVE and check if they exist in the filtered version
        .map(a => a[0])
        .includes(selectedVersion);
}

// takes a version and checks if it is within the ranges of a list of fixed versions (sorted from lowest to highest)
// returns true if not within the fixed versions (therefore it's a vulnerable/affected version)
// returns false otherwise
function checkVersionAffected(selectedVersion: string, versions: [string, Status][]): boolean {
    let version = parse(selectedVersion);
    let parsedFixedVersion = versions
        .filter(v => v[1] === "FIXED")
        .map(v => parse(v[0]))
        .filter(v => v != null)
        .sort((a, b) => compareSemanticVersions(String(a), String(b)));
    let parsedIntroducedVersion = versions
        .filter(v => v[1] === "AFFECTED")
        .map(v => parse(v[0]))
        .filter(v => v != null)
        .sort((a, b) => compareSemanticVersions(String(a), String(b)));

    if (version == null) {
        return false;
    }

    for (let i = 0; i < parsedFixedVersion.length; i++) {
        // only compare patch version ranges if the version's major & minor values are the same as any fixed version
        if (version.major === parsedFixedVersion[i]?.major && version.minor === parsedFixedVersion[i]?.minor) {
            if (parsedFixedVersion[i]?.patch !== undefined && version.patch >= (parsedFixedVersion[i]?.patch || 0)) {
                return false;
            } else {
                return true;
            }
        }

        // only compare minor version ranges if the version's major values are the same as any fixed version
        if (version.major === parsedFixedVersion[i]?.major) {
            if (parsedFixedVersion[i]?.minor !== undefined && version.minor >= (parsedFixedVersion[i]?.minor || 0)) {
                return false;
            } else {
                return true;
            }
        }
    }

    // any version outside of the latest fixed version range isn't affected
    if (
        parsedFixedVersion[parsedFixedVersion.length - 1]?.major !== undefined &&
        version.major > (parsedFixedVersion[parsedFixedVersion.length - 1]?.major || 0)
    ) {
        return false;
    }

    // any version under the earliest fixed version and still in the introduced version is affected
    if (
        parsedFixedVersion[0]?.major !== undefined &&
        parsedIntroducedVersion[0]?.major !== undefined &&
        version.major < parsedFixedVersion[0]?.major &&
        version.major >= parsedIntroducedVersion[0]?.major
    ) {
        return true;
    }

    return false;
}

function compareSemanticVersions(a: string, b: string) {
    // 1. Split the strings into their parts.
    const a1 = a.split(".");
    const b1 = b.split(".");
    // 2. Contingency in case there's a 4th or 5th version
    const len = Math.min(a1.length, b1.length);
    // 3. Look through each version number and compare.
    for (let i = 0; i < len; i++) {
        const a2 = +a1[i] || 0;
        const b2 = +b1[i] || 0;

        if (a2 !== b2) {
            return a2 > b2 ? 1 : -1;
        }
    }

    // 4. We hit this if the all checked versions so far are equal
    return b1.length - a1.length;
}