detect all reported vulnerabilities in r-advisory-database

r-multiverse · Sep 24, 2024 · 8b9efa3 · 8b9efa3
1 parent 554e59e
commit 8b9efa3
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 14 deletions.
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -2,7 +2,7 @@ Package: multiverse.internals
 Title: Internal Infrastructure for R-multiverse
 Description: R-multiverse requires this internal infrastructure package to
   automate contribution reviews and populate universes.
-Version: 0.2.12
+Version: 0.2.13
 License: MIT + file LICENSE
 URL: https://github.com/r-multiverse/multiverse.internals
 BugReports: https://github.com/r-multiverse/multiverse.internals/issues
@@ -28,15 +28,16 @@ Authors@R: c(
 Depends:
   R (>= 3.6)
 Imports:
+  gert,
   gh,
   igraph,
   jsonlite,
   nanonext,
   pkgsearch,
+  stats,
   utils,
   vctrs
 Suggests:
-  gert,
   testthat (>= 3.0.0)
 Encoding: UTF-8
 Language: en-US

diff --git a/NAMESPACE b/NAMESPACE
@@ -19,6 +19,7 @@ export(review_pull_requests)
 export(staging_is_active)
 export(try_message)
 export(update_staging)
+importFrom(gert,git_clone)
 importFrom(gh,gh)
 importFrom(igraph,V)
 importFrom(igraph,graph)
@@ -32,6 +33,7 @@ importFrom(nanonext,ncurl)
 importFrom(nanonext,parse_url)
 importFrom(nanonext,status_code)
 importFrom(pkgsearch,cran_package)
+importFrom(stats,aggregate)
 importFrom(utils,available.packages)
 importFrom(utils,compareVersion)
 importFrom(vctrs,vec_rbind)

diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,7 @@
+# multiverse.internals 0.2.13
+
+* Record issues for vulnerabilities in <https://github.com/RConsortium/r-advisory-database>.
+
 # multiverse.internals 0.2.12
 
 * Amend argument defaults in `propose_snapshot()` to include source files.

diff --git a/R/issues_descriptions.R b/R/issues_descriptions.R
@@ -25,7 +25,7 @@ issues_descriptions <- function(meta = meta_packages()) {
   meta <- issues_descriptions_advisories(meta)
   meta <- issues_descriptions_remotes(meta)
   meta <- meta[meta$issue,, drop = FALSE] # nolint
-  issues_list(meta[, c("package", "advisory", "remotes")])
+  issues_list(meta[, c("package", "advisories", "remotes")])
 }
 
 issues_descriptions_advisories <- function(meta) {
@@ -37,7 +37,7 @@ issues_descriptions_advisories <- function(meta) {
     all.x = TRUE,
     all.y = FALSE
   )
-  meta$issue <- meta$issue | !is.na(meta$advisory)
+  meta$issue <- meta$issue | !vapply(meta$advisories, anyNA, logical(1L))
   meta
 }
 
@@ -62,8 +62,7 @@ read_advisories <- function() {
     full.names = TRUE
   )
   out <- do.call(vctrs::vec_rbind, lapply(advisories, read_advisory))
-  keep <- !duplicated(out[, c("package", "version")])
-  out[keep,, drop = FALSE] # nolint
+  stats::aggregate(x = advisories ~ package + version, data = out, FUN = list)
 }
 
 read_advisory <- function(path) {
@@ -79,7 +78,7 @@ advisory_entry <- function(entry, path) {
   data.frame(
     package = entry$package$name,
     version = entry$versions,
-    advisory = file.path(
+    advisories = file.path(
       "https://github.com/RConsortium/r-advisory-database/blob/main/vulns",
       entry$package$name,
       basename(path)

diff --git a/R/package.R b/R/package.R
@@ -1,8 +1,10 @@
+#' @importFrom gert git_clone
 #' @importFrom gh gh
 #' @importFrom igraph graph neighbors subcomponent V
 #' @importFrom jsonlite parse_json read_json stream_in write_json
 #' @importFrom nanonext ncurl parse_url status_code
 #' @importFrom pkgsearch cran_package
+#' @importFrom stats aggregate
 #' @importFrom utils available.packages compareVersion
 #' @importFrom vctrs vec_rbind vec_slice
 NULL
diff --git a/tests/testthat/test-issues_descriptions.R b/tests/testthat/test-issues_descriptions.R
@@ -18,18 +18,29 @@ test_that("issues_descriptions() on a small repo", {
 
 test_that("issues_descriptions() with security advisories", {
   example <- mock_meta_packages$package == "nanonext"
+  commonmark <- mock_meta_packages[example,, drop = FALSE] # nolint
+  commonmark$package <- "commonmark"
+  commonmark$version <- "0.2"
   readxl <- mock_meta_packages[example,, drop = FALSE] # nolint
   readxl$package <- "readxl"
   readxl$version <- "1.4.1"
-  meta <- rbind(mock_meta_packages, readxl)
+  meta <- rbind(mock_meta_packages, commonmark, readxl)
   out <- issues_descriptions(meta)
-  url <- file.path(
-    "https://github.com/RConsortium/r-advisory-database",
-    "blob/main/vulns/readxl/RSEC-2023-2.yaml"
-  )
   exp <- list(
-    audio.whisper = list(remotes = "bnosac/audio.vadwebrtc"), 
-    readxl = list(advisory = url), 
+    audio.whisper = list(remotes = "bnosac/audio.vadwebrtc"),
+    commonmark = list(
+      advisories = file.path(
+        "https://github.com/RConsortium/r-advisory-database",
+        "blob/main/vulns/commonmark",
+        c("RSEC-2023-6.yaml", "RSEC-2023-7.yaml", "RSEC-2023-8.yaml")
+      )
+    ),
+    readxl = list(
+      advisories = file.path(
+        "https://github.com/RConsortium/r-advisory-database",
+        "blob/main/vulns/readxl/RSEC-2023-2.yaml"
+      )
+    ),
     stantargets = list(remotes = c("hyunjimoon/SBC", "stan-dev/cmdstanr")),
     tidypolars = list(remotes = "markvanderloo/tinytest/pkg")
   )