brew-vulns 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1e6ed689e85382d79c401a23c21c55e393038dba7b5f3ec52f90196904effe1
-  data.tar.gz: 55400c9cafeb368de7f8079363d0e46ae851e0f4cd16f4984139da655e84a36d
+  metadata.gz: 72efd9c1dafe1b2b35c1f0ade267d45827870a12ad5d3d39104edbf18737d458
+  data.tar.gz: 893b6844b30213daa63a16e0aa89b2c9fab619615b4fc467c8172f8303b91533
 SHA512:
-  metadata.gz: b2f086436e55e908a72b5e22b07e7890f99f5ff34a98c4db863f4121f3a7961f86036ca772e5a35d171beaa4c70f29425f5b224513c931f612a8ed3f183eeb0f
-  data.tar.gz: dd7ba735193a41955bca5e1a66cfc6340441bcf4baad3cca231b1490b51f0efede7436e1cb564eb6a02f889d682241ef4c73a904754121ea7080044abbf90931
+  metadata.gz: 673a4f8eb760b9e12eccab25ae324f514a480580497e5629c57483351f3a8e5fb93a9fe6573ce55e19e03430e9daebdf836335e2485c6f7f059cb5579e817c53
+  data.tar.gz: eda56de2b35ab3406f6d1c74de3e4df9ad075e227cd76d08e534e5fa2326373f3bc3e520044bf3f1b98103dde0b5ac5e65ba0d087b8f112c9ab798b7b4709548

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 ## [Unreleased]
 
+## [0.2.0] - 2026-01-08
+
+- Add CycloneDX SBOM output with vulnerabilities (`--cyclonedx`)
+- Add Brewfile scanning support (`--brewfile`) to check packages from a Brewfile
+- Add SARIF output for GitHub code scanning integration (`--sarif`)
+- Add severity filtering to only show vulnerabilities at or above a threshold (`--severity`)
+- Add configurable summary truncation length (`--max-summary`)
+- Fetch vulnerability details in parallel for faster scans
+- Add GitLab and Codeberg support alongside GitHub
+- Log warnings when version parsing fails instead of silently ignoring errors
+
 ## [0.1.0] - 2026-01-08
 
 - Initial release

data/README.md

@@ -21,6 +21,25 @@ Once installed, the command is available as `brew vulns`.
 
 ## Usage
 
+```bash
+brew vulns [formula] [options]
+```
+
+### Options
+
+| Flag | Long form | Description |
+|------|-----------|-------------|
+| `-b PATH` | `--brewfile PATH` | Scan packages from a Brewfile (default: ./Brewfile) |
+| `-d` | `--deps` | Include dependencies when checking a specific formula or Brewfile |
+| `-j` | `--json` | Output results as JSON |
+| | `--cyclonedx` | Output results as CycloneDX SBOM with vulnerabilities |
+| | `--sarif` | Output results as SARIF for GitHub code scanning |
+| `-m N` | `--max-summary N` | Truncate summaries to N characters (default: 60, 0 for no limit) |
+| `-s LEVEL` | `--severity LEVEL` | Only show vulnerabilities at or above LEVEL (low, medium, high, critical) |
+| `-h` | `--help` | Show help message |
+
+### Examples
+
 ```bash
 # Check all installed packages
 brew vulns
@@ -31,9 +50,33 @@ brew vulns openssl
 # Check a formula and its dependencies
 brew vulns python --deps
 
+# Scan packages from a Brewfile
+brew vulns --brewfile
+
+# Scan a specific Brewfile
+brew vulns -b ~/project/Brewfile
+
+# Scan Brewfile packages and their dependencies
+brew vulns --brewfile --deps
+
 # Output as JSON (useful for CI/CD)
 brew vulns --json
 
+# Show longer summaries
+brew vulns --max-summary 100
+
+# Show full summaries (no truncation)
+brew vulns -m 0
+
+# Only show HIGH and CRITICAL vulnerabilities
+brew vulns --severity high
+
+# Output as CycloneDX SBOM with vulnerabilities
+brew vulns --cyclonedx > sbom.cdx.json
+
+# Output as SARIF for GitHub code scanning
+brew vulns --sarif > results.sarif
+
 # Show help
 brew vulns --help
 ```
@@ -41,17 +84,17 @@ brew vulns --help
 ## How it works
 
 1. Reads installed Homebrew formulae via `brew info --json=v2 --installed`
-2. Extracts the GitHub repository URL and version tag from each formula's source URL
+2. Extracts the repository URL and version tag from each formula's source URL
 3. Queries the OSV API using the GIT ecosystem to find known vulnerabilities
 4. Reports any vulnerabilities found with their severity and CVE identifiers
 
-Only packages with GitHub source URLs can be checked. Packages from other sources are skipped.
+Packages with GitHub, GitLab, or Codeberg source URLs are checked. Packages from other sources are skipped.
 
 ## Example output
 
 ```
 Checking 104 packages for vulnerabilities...
-(119 packages skipped - no GitHub source URL)
+(119 packages skipped - no supported source URL)
 
 expat (2.7.3)
   CVE-2025-66382 (HIGH) - XML parsing vulnerability...
@@ -70,6 +113,72 @@ Found 15 vulnerabilities in 3 packages
 
 This makes it suitable for use in CI/CD pipelines.
 
+## GitHub Actions
+
+Use the `--sarif` flag to integrate with GitHub code scanning:
+
+```yaml
+name: Vulnerability Scan
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install brew-vulns
+        run: gem install brew-vulns
+
+      - name: Run vulnerability scan
+        run: brew vulns --sarif > results.sarif
+        continue-on-error: true
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+### Dependency graph integration
+
+Use the `--cyclonedx` flag to submit an SBOM to GitHub's dependency graph:
+
+```yaml
+name: SBOM Submission
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    runs-on: macos-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install brew-vulns
+        run: gem install brew-vulns
+
+      - name: Generate SBOM
+        run: brew vulns --cyclonedx > sbom.cdx.json
+        continue-on-error: true
+
+      - name: Submit to dependency graph
+        uses: evryfs/sbom-dependency-submission-action@v0
+        with:
+          sbom-files: sbom.cdx.json
+```
+
+This adds your Homebrew packages to the repository's dependency graph, enabling Dependabot alerts.
+
 ## Development
 
 ```bash

data/lib/brew/vulns/cli.rb

@@ -7,12 +7,58 @@ module Brew
         new(args).run
       end
 
+      DEFAULT_MAX_SUMMARY = 60
+      SEVERITY_LEVELS = { "low" => 1, "medium" => 2, "high" => 3, "critical" => 4 }.freeze
+
       def initialize(args)
         @args = args
         @formula_filter = args.first unless args.first&.start_with?("-")
         @include_deps = args.include?("--deps") || args.include?("-d")
         @json_output = args.include?("--json") || args.include?("-j")
+        @sarif_output = args.include?("--sarif")
+        @cyclonedx_output = args.include?("--cyclonedx")
         @help = args.include?("--help") || args.include?("-h")
+        @max_summary = parse_max_summary(args)
+        @min_severity = parse_severity(args)
+        @brewfile = parse_brewfile_path(args)
+      end
+
+      def parse_max_summary(args)
+        args.each_with_index do |arg, idx|
+          if arg == "--max-summary" || arg == "-m"
+            value = args[idx + 1]
+            return value.to_i if value && !value.start_with?("-")
+          elsif arg.start_with?("--max-summary=")
+            return arg.split("=", 2).last.to_i
+          end
+        end
+        DEFAULT_MAX_SUMMARY
+      end
+
+      def parse_severity(args)
+        args.each_with_index do |arg, idx|
+          if arg == "--severity" || arg == "-s"
+            value = args[idx + 1]
+            return SEVERITY_LEVELS[value&.downcase] || 0 if value && !value.start_with?("-")
+          elsif arg.start_with?("--severity=")
+            value = arg.split("=", 2).last
+            return SEVERITY_LEVELS[value&.downcase] || 0
+          end
+        end
+        0
+      end
+
+      def parse_brewfile_path(args)
+        args.each_with_index do |arg, idx|
+          if arg == "--brewfile" || arg == "-b"
+            value = args[idx + 1]
+            return value if value && !value.start_with?("-")
+            return "Brewfile"
+          elsif arg.start_with?("--brewfile=")
+            return arg.split("=", 2).last
+          end
+        end
+        nil
       end
 
       def run
@@ -27,12 +73,12 @@ module Brew
           return 0
         end
 
-        queryable = formulae.select(&:github?).select(&:tag)
+        queryable = formulae.select(&:supported_forge?).select(&:tag)
         skipped = formulae.size - queryable.size
 
-        unless @json_output
+        unless @json_output || @sarif_output || @cyclonedx_output
           puts "Checking #{queryable.size} packages for vulnerabilities..."
-          puts "(#{skipped} packages skipped - no GitHub source URL)" if skipped > 0
+          puts "(#{skipped} packages skipped - no supported source URL)" if skipped > 0
           puts
         end
 
@@ -52,7 +98,9 @@ module Brew
       private
 
       def load_formulae
-        if @include_deps && @formula_filter
+        if @brewfile
+          Formula.load_from_brewfile(@brewfile, include_deps: @include_deps)
+        elsif @include_deps && @formula_filter
           Formula.load_with_dependencies(@formula_filter)
         else
           Formula.load_installed(@formula_filter)
@@ -67,7 +115,19 @@ module Brew
 
         results = {}
         formulae.each_with_index do |formula, idx|
-          vulns = Vulnerability.from_osv_list(vuln_results[idx] || [])
+          batch_vulns = vuln_results[idx] || []
+          next if batch_vulns.empty?
+
+          threads = batch_vulns.map do |v|
+            Thread.new { client.get_vulnerability(v["id"]) }
+          end
+          full_vulns = threads.map(&:value)
+          vulns = Vulnerability.from_osv_list(full_vulns)
+
+          version = formula.tag || formula.version
+          vulns = vulns.select { |v| v.affects_version?(version) }
+          vulns = vulns.select { |v| v.severity_level >= @min_severity } if @min_severity > 0
+
           results[formula] = vulns if vulns.any?
         end
 
@@ -75,7 +135,11 @@ module Brew
       end
 
       def output_results(results, all_formulae)
-        if @json_output
+        if @cyclonedx_output
+          output_cyclonedx(results, all_formulae)
+        elsif @sarif_output
+          output_sarif(results)
+        elsif @json_output
           output_json(results)
         else
           output_text(results, all_formulae)
@@ -105,6 +169,110 @@ module Brew
         results.empty? ? 0 : 1
       end
 
+      def output_cyclonedx(results, all_formulae)
+        components = all_formulae.map do |formula|
+          {
+            type: "library",
+            name: formula.name,
+            version: formula.version,
+            purl: "pkg:brew/#{formula.name}@#{formula.version}"
+          }
+        end
+
+        vulnerabilities = []
+        results.each do |formula, vulns|
+          vulns.each do |vuln|
+            vulnerabilities << {
+              id: vuln.id,
+              source: { name: "OSV", url: "https://osv.dev" },
+              ratings: [{ severity: vuln.severity_display&.downcase }],
+              description: vuln.summary,
+              affects: [{ ref: "pkg:brew/#{formula.name}@#{formula.version}" }]
+            }
+          end
+        end
+
+        generator = Sbom::Cyclonedx::Generator.new(format: :json)
+        generator.generate("brew-vulns", {
+          packages: components,
+          vulnerabilities: vulnerabilities
+        })
+
+        puts generator.output
+        results.empty? ? 0 : 1
+      end
+
+      def output_sarif(results)
+        rules = []
+        sarif_results = []
+
+        results.each do |formula, vulns|
+          vulns.each do |vuln|
+            rule_id = vuln.id
+            rules << Sarif::ReportingDescriptor.new(
+              id: rule_id,
+              name: rule_id,
+              short_description: Sarif::MultiformatMessageString.new(
+                text: vuln.summary || "Security vulnerability"
+              ),
+              help_uri: vuln.advisory_url,
+              default_configuration: Sarif::ReportingConfiguration.new(
+                level: sarif_level(vuln.severity_display)
+              )
+            )
+
+            sarif_results << Sarif::Result.new(
+              rule_id: rule_id,
+              level: sarif_level(vuln.severity_display),
+              message: Sarif::Message.new(
+                text: "#{formula.name}@#{formula.version}: #{vuln.summary || vuln.id}"
+              ),
+              locations: [
+                Sarif::Location.new(
+                  physical_location: Sarif::PhysicalLocation.new(
+                    artifact_location: Sarif::ArtifactLocation.new(
+                      uri: formula.repo_url || formula.name
+                    )
+                  ),
+                  message: Sarif::Message.new(
+                    text: "Affected package: #{formula.name} version #{formula.version}"
+                  )
+                )
+              ]
+            )
+          end
+        end
+
+        log = Sarif::Log.new(
+          version: "2.1.0",
+          runs: [
+            Sarif::Run.new(
+              tool: Sarif::Tool.new(
+                driver: Sarif::ToolComponent.new(
+                  name: "brew-vulns",
+                  version: VERSION,
+                  information_uri: "https://github.com/andrew/brew-vulns",
+                  rules: rules.uniq { |r| r.id }
+                )
+              ),
+              results: sarif_results
+            )
+          ]
+        )
+
+        puts JSON.pretty_generate(log.to_h)
+        results.empty? ? 0 : 1
+      end
+
+      def sarif_level(severity)
+        case severity&.downcase
+        when "critical", "high" then "error"
+        when "medium" then "warning"
+        when "low" then "note"
+        else "warning"
+        end
+      end
+
       def output_text(results, all_formulae)
         if results.empty?
           puts "No vulnerabilities found."
@@ -122,7 +290,11 @@ module Brew
 
             line = "  #{vuln.id} (#{severity})"
             if vuln.summary
-              summary = vuln.summary.length > 60 ? "#{vuln.summary.slice(0, 60)}..." : vuln.summary
+              summary = if @max_summary > 0 && vuln.summary.length > @max_summary
+                "#{vuln.summary.slice(0, @max_summary)}..."
+              else
+                vuln.summary
+              end
               line = "#{line} - #{summary}"
             end
             puts line
@@ -157,18 +329,29 @@ module Brew
           Check installed Homebrew packages for known vulnerabilities via osv.dev.
 
           Arguments:
-            formula          Check only this formula (optional)
+            formula              Check only this formula (optional)
 
           Options:
-            -d, --deps       Include dependencies when checking a specific formula
-            -j, --json       Output results as JSON
-            -h, --help       Show this help message
+            -b, --brewfile PATH  Scan packages from a Brewfile (default: ./Brewfile)
+            -d, --deps           Include dependencies when checking a specific formula or Brewfile
+            -j, --json           Output results as JSON
+            --cyclonedx          Output results as CycloneDX SBOM with vulnerabilities
+            --sarif              Output results as SARIF for GitHub code scanning
+            -m, --max-summary N  Truncate summaries to N characters (default: 60, 0 for no limit)
+            -s, --severity LEVEL Only show vulnerabilities at or above LEVEL (low, medium, high, critical)
+            -h, --help           Show this help message
 
           Examples:
             brew vulns                    Check all installed packages
             brew vulns openssl            Check only openssl
             brew vulns vim --deps         Check vim and its dependencies
+            brew vulns --brewfile         Scan packages listed in ./Brewfile
+            brew vulns -b ~/project/Brewfile  Scan a specific Brewfile
+            brew vulns -b Brewfile --deps Scan Brewfile packages and their dependencies
             brew vulns --json             Output as JSON for CI/CD
+            brew vulns --cyclonedx        Output as CycloneDX SBOM
+            brew vulns --sarif            Output as SARIF for GitHub Actions
+            brew vulns --severity high    Only show HIGH and CRITICAL vulnerabilities
         HELP
       end
     end

data/lib/brew/vulns/formula.rb

@@ -32,6 +32,18 @@ module Brew
         repo_url&.include?("github.com")
       end
 
+      def gitlab?
+        repo_url&.include?("gitlab.com")
+      end
+
+      def codeberg?
+        repo_url&.include?("codeberg.org")
+      end
+
+      def supported_forge?
+        github? || gitlab? || codeberg?
+      end
+
       def to_osv_query
         return nil unless repo_url && tag
 
@@ -46,7 +58,7 @@ module Brew
         formulae = data["formulae"].map { |f| new(f) }
 
         if formula_filter
-          formulae.select! { |f| f.name == formula_filter || f.name.start_with?("#{formula_filter}@") }
+          formulae.select! { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
         end
 
         formulae
@@ -61,7 +73,7 @@ module Brew
         formulae_by_name = all_formulae.each_with_object({}) { |f, h| h[f.name] = f }
 
         if formula_filter
-          filtered = all_formulae.select { |f| f.name == formula_filter || f.name.start_with?("#{formula_filter}@") }
+          filtered = all_formulae.select { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
           return [] if filtered.empty?
 
           deps_output, = Open3.capture2("brew", "deps", "--installed", formula_filter)
@@ -79,16 +91,59 @@ module Brew
         end
       end
 
+      def self.load_from_brewfile(brewfile_path, include_deps: false)
+        raise Error, "Brewfile not found: #{brewfile_path}" unless File.exist?(brewfile_path)
+
+        formula_names = parse_brewfile(brewfile_path)
+        return [] if formula_names.empty?
+
+        json, status = Open3.capture2("brew", "info", "--json=v2", *formula_names)
+        raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
+
+        data = JSON.parse(json)
+        formulae = data["formulae"].map { |f| new(f) }
+
+        if include_deps
+          dep_names = []
+          formula_names.each do |name|
+            deps_output, = Open3.capture2("brew", "deps", name)
+            dep_names.concat(deps_output.split("\n").map(&:strip))
+          end
+          dep_names.uniq!
+          dep_names -= formula_names
+
+          if dep_names.any?
+            deps_json, deps_status = Open3.capture2("brew", "info", "--json=v2", *dep_names)
+            if deps_status.success?
+              deps_data = JSON.parse(deps_json)
+              formulae.concat(deps_data["formulae"].map { |f| new(f) })
+            end
+          end
+        end
+
+        formulae.uniq { |f| f.name }
+      end
+
+      def self.parse_brewfile(brewfile_path)
+        output, status = Open3.capture2("brew", "bundle", "list", "--file=#{brewfile_path}", "--formula")
+        raise Error, "brew bundle list failed with status #{status.exitstatus}" unless status.success?
+
+        output.split("\n").map(&:strip).reject(&:empty?)
+      end
+
       private
 
       def extract_repo_url(url)
         return nil unless url
-        return nil unless url.include?("github.com")
 
-        match = url.match(%r{https?://github\.com/([^/]+/[^/]+)})
+        forges = %w[github.com gitlab.com codeberg.org]
+        forge = forges.find { |f| url.include?(f) }
+        return nil unless forge
+
+        match = url.match(%r{https?://#{Regexp.escape(forge)}/([^/]+/[^/]+)})
         if match
-          repo_path = match[1].sub(/\.git$/, "")
-          return "https://github.com/#{repo_path}"
+          repo_path = match[1].sub(/\.git$/, "").sub(%r{/-/.*}, "")
+          return "https://#{forge}/#{repo_path}"
         end
 
         nil

data/lib/brew/vulns/version.rb

@@ -2,6 +2,6 @@
 
 module Brew
   module Vulns
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/brew/vulns/vulnerability.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "purl"
+require "vers"
+
 module Brew
   module Vulns
     class Vulnerability
@@ -54,12 +57,23 @@ module Brew
         versions.uniq
       end
 
+      def affects_version?(version, default_ecosystem = "gem")
+        return true if affected.empty?
+
+        normalized_version = normalize_version(version)
+
+        affected.any? do |aff|
+          ecosystem = extract_ecosystem(aff, default_ecosystem)
+
+          in_explicit_versions?(aff, normalized_version) ||
+            in_semver_ranges?(aff, normalized_version, ecosystem)
+        end
+      end
+
       def self.from_osv_list(vulns_data)
         vulns_data.map { |data| new(data) }
       end
 
-      private
-
       def extract_severity(data)
         if data["severity"]&.any?
           sev = data["severity"].first
@@ -121,6 +135,64 @@ module Brew
         end
         metrics
       end
+
+      def normalize_version(version)
+        version.sub(/^v/, "")
+      end
+
+      def extract_ecosystem(aff, default_ecosystem)
+        purl_str = aff.dig("package", "purl")
+        return default_ecosystem unless purl_str
+
+        purl = Purl.parse(purl_str)
+        purl.type
+      rescue StandardError => e
+        warn "Warning: Failed to parse purl '#{purl_str}': #{e.message}"
+        default_ecosystem
+      end
+
+      def in_explicit_versions?(aff, version)
+        versions = aff["versions"] || []
+        versions.any? { |v| normalize_version(v) == version }
+      end
+
+      def in_semver_ranges?(aff, version, ecosystem)
+        ranges = aff["ranges"] || []
+        semver_ranges = ranges.select { |r| r["type"] == "SEMVER" }
+
+        semver_ranges.any? do |range|
+          version_in_range?(version, range["events"], ecosystem)
+        end
+      end
+
+      def version_in_range?(version, events, ecosystem)
+        return false if events.nil? || events.empty?
+
+        constraints = build_constraints(events)
+        return false if constraints.empty?
+
+        Vers.satisfies?(version, constraints.join(","), ecosystem)
+      rescue StandardError => e
+        warn "Warning: Failed to check version '#{version}' against constraints: #{e.message}"
+        false
+      end
+
+      def build_constraints(events)
+        constraints = []
+        events.each do |event|
+          if event["introduced"]
+            intro = normalize_version(event["introduced"])
+            constraints << ">=#{intro}" unless intro == "0"
+          end
+          if event["fixed"]
+            constraints << "<#{normalize_version(event["fixed"])}"
+          end
+          if event["last_affected"]
+            constraints << "<=#{normalize_version(event["last_affected"])}"
+          end
+        end
+        constraints
+      end
     end
   end
 end

data/lib/brew/vulns.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "sarif"
+require "sbom"
+
 require_relative "vulns/version"
 require_relative "vulns/osv_client"
 require_relative "vulns/formula"

metadata

@@ -1,14 +1,70 @@
 --- !ruby/object:Gem::Specification
 name: brew-vulns
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Andrew Nesbitt
 bindir: exe
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
-dependencies: []
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: purl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: sarif-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: sbom
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: vers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: A Homebrew subcommand that checks installed packages for vulnerabilities
   via osv.dev
 email: