bundle-patch 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d8b17466b5eb121598328313cfad1610ffc24389696fe4560d4a069d77a0964b
+  data.tar.gz: 8f27ad6af43d58e7d4d45b1c4929ea0a5f81f07acdedd392f07b22fbb3e71e8e
+SHA512:
+  metadata.gz: fdee9fb0b56afdb55eaba3c51139b6ceff09b81bda3e2845b89ee84400508061f1386e04d1a13475bbf7dbf18186380de33cd57d1209ea276916d6ab85e7a4db
+  data.tar.gz: 4b47dc321f9a3f976d65ab41c5bba00e3bc6ad4de4824503a588cad8d375c1711bea149a99c8240cfb7a44d9138d29d46a6144e8a26dfddf112287d1403724e6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-04-10
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 rishijain
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,82 @@
+# 🔒 bundle-patch
+
+A command-line tool to **automatically patch vulnerable gems** in your Gemfile using [`bundler-audit`](https://github.com/rubysec/bundler-audit) under the hood.
+
+It parses audit output, finds the **best patchable version** for each vulnerable gem, and updates your Gemfile accordingly.
+
+---
+
+## ✨ Features
+
+- Runs `bundle audit` and parses vulnerabilities
+- Computes the minimal patchable version required
+- Updates your `Gemfile` (and optionally runs `bundle install`)
+- Supports patch/minor/major upgrade strategies
+- Handles indirect dependencies by explicitly adding them
+- Has a dry-run mode
+
+---
+
+## 💡 Example
+
+```bash
+bundle-patch --mode=minor
+```
+
+Example output
+
+```
+🔍 Running `bundle-audit check --format json`...
+🔒 Found 2 vulnerabilities:
+- sidekiq (5.2.10): sidekiq Denial of Service vulnerability
+  ✅ Patchable → 6.5.10
+- actionpack (6.1.4.1): XSS vulnerability
+  ✅ Patchable → 6.1.7.7
+📝 Backing up Gemfile to Gemfile.bak...
+🔧 Updating existing gem: actionpack to '6.1.7.7'
+➕ Gem sidekiq is a dependency. Adding it explicitly to Gemfile with version 6.5.10.
+✅ Gemfile updated!
+📦 Running `bundle install`...
+✅ bundle install completed successfully
+```
+
+## ⚙️ Options
+
+| Option                  | Description                                                               |
+| ----------------------- | ------------------------------------------------------------------------- |
+| `--mode=patch`          | Only allow patch-level updates (default)                                  |
+| `--mode=minor`          | Allow minor version updates                                               |
+| `--mode=all`            | Allow all updates including major versions                                |
+| `--dry-run`             | Only print what would be changed, don’t touch the Gemfile or install gems |
+| `--skip_bundle_install` | Modify the Gemfile, but skip `bundle install`                             |
+
+## 📦 Installation
+
+Add this gem to your system:
+
+```bash
+gem install bundle-patch
+```
+
+Or add it to your project's Gemfile for use in development:
+
+```bash
+# Gemfile
+group :development do
+  gem 'bundle-patch'
+end
+```
+
+And then:
+
+```
+bundle install
+```
+
+## 🧼 How it works
+
+1. Runs `bundle audit check --format json`
+2. Groups advisories by gem
+3. Determines the best patchable version for each gem based on `--mode`
+4. Ensures the gem is either updated or explicitly added to the `Gemfile`
+5. Optionally runs `bundle install` (unless `--skip_bundle_install` or `--dry-run` is used)

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+task default: :test

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "bundle/patch"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/bundle/patch/audit/advisory.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "rubygems"
+
+module Bundle
+  module Patch
+    module Audit
+      class Advisory
+        attr_reader :name, :version, :patched_versions, :raw
+
+        def initialize(raw)
+          @raw              = raw
+          @name             = raw.dig("gem", "name")
+          @version          = Gem::Version.new(raw.dig("gem", "version"))
+          @patched_versions = Array(raw.dig("advisory", "patched_versions")).map { Gem::Requirement.new(_1) }
+        end
+
+        def patchable?
+          latest_patch_version && (latest_patch_version.segments[1] == version.segments[1])
+        end
+
+        def latest_patch_version
+          @latest_patch_version ||= begin
+            candidates = patched_versions.flat_map(&:requirements)
+              .map { |op, v| Gem::Version.new(v) if op == ">=" }
+              .compact
+
+            candidates
+              .select { |v| v.segments[0..1] == version.segments[0..1] } # Same major.minor
+              .max
+          end
+        end
+
+        def to_h
+          @raw
+        end
+      end
+    end
+  end
+end

data/lib/bundle/patch/audit/parser.rb

@@ -0,0 +1,26 @@
+require "json"
+require "open3"
+require_relative "advisory"
+
+module Bundle
+  module Patch
+    module Audit
+      class Parser
+        def self.run
+          puts "🔍 Running `bundle-audit check --format json`..."
+
+          output, _status = Open3.capture2("bundle-audit check --format json")
+
+          # Even if status is non-zero, it's likely due to found vulnerabilities
+          begin
+            parsed = JSON.parse(output)
+            # parsed["results"] || []
+            parsed["results"].map { |data| Advisory.new(data) }
+          rescue JSON::ParserError => e
+            abort "❌ Could not parse bundle-audit output: #{e.message}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundle/patch/bundler_audit_installer.rb

@@ -0,0 +1,16 @@
+module Bundle
+  module Patch
+    class BundlerAuditInstaller
+      def self.ensure_installed!
+        return if system("bundle-audit --version > /dev/null 2>&1")
+
+        puts "🔍 bundler-audit not found. Installing..."
+        success = system("gem install bundler-audit")
+
+        unless success
+          abort "❌ Failed to install bundler-audit. Please check your RubyGems setup."
+        end
+      end
+    end
+  end
+end

data/lib/bundle/patch/config.rb

@@ -0,0 +1,40 @@
+# lib/bundle/patch/config.rb
+module Bundle
+  module Patch
+    class Config
+      attr_reader :dry_run, :mode, :skip_bundle_install
+
+      def initialize(dry_run: false, mode: "patch", skip_bundle_install: false)
+        @dry_run = dry_run
+        @mode = mode
+        @skip_bundle_install = skip_bundle_install
+      end
+
+      def allow_update?(from_version, to_version)
+        return true if mode == "all"
+
+        from = Gem::Version.new(from_version)
+        to = Gem::Version.new(to_version)
+
+        case mode
+        when "patch"
+          same_major?(from, to) && same_minor?(from, to)
+        when "minor"
+          same_major?(from, to)
+        else
+          true
+        end
+      end
+
+      private
+
+      def same_major?(v1, v2)
+        v1.segments[0] == v2.segments[0]
+      end
+
+      def same_minor?(v1, v2)
+        v1.segments[1] == v2.segments[1]
+      end
+    end
+  end
+end

data/lib/bundle/patch/gemfile_editor.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Bundle
+  module Patch
+    class GemfileEditor
+      GEMFILE_PATH = "Gemfile"
+      LOCKFILE_PATH = "Gemfile.lock"
+      BACKUP_PATH = "Gemfile.bak"
+
+      def self.update!(patchable_gems)
+        unless File.exist?(GEMFILE_PATH)
+          abort "❌ No Gemfile found in the current directory."
+        end
+
+        puts "📝 Backing up Gemfile to #{BACKUP_PATH}..."
+        File.write(BACKUP_PATH, File.read(GEMFILE_PATH))
+
+        lines = File.readlines(GEMFILE_PATH)
+        updated_lines = lines.dup
+
+        patchable_gems.each do |gem_info|
+          name = gem_info["name"]
+          version = gem_info["required_version"]
+
+          in_gemfile = gem_declared_in_gemfile?(name, lines)
+          in_lockfile = gem_declared_in_lockfile?(name)
+
+          if in_gemfile
+            puts "🔧 Updating existing gem: #{name} → '#{version}'"
+            updated_lines = update_version_in_lines(updated_lines, name, version)
+          elsif in_lockfile
+            puts "➕ Adding dependency gem: #{name} → '#{version}'"
+            updated_lines << "gem \"#{name}\", \"#{version}\"\n"
+          else
+            puts "⚠️  Skipping #{name} — not found in Gemfile or Gemfile.lock."
+          end
+        end
+
+        File.write(GEMFILE_PATH, updated_lines.join)
+        puts "✅ Gemfile updated!"
+      end
+
+      def self.gem_declared_in_gemfile?(name, lines)
+        lines.any? { |line| line.match?(/^\s*gem\s+['"]#{name}['"]/) }
+      end
+
+      def self.gem_declared_in_lockfile?(name)
+        return false unless File.exist?(LOCKFILE_PATH)
+        File.read(LOCKFILE_PATH).include?("\n    #{name} ")
+      end
+
+      def self.update_version_in_lines(lines, name, version)
+        lines.map do |line|
+          if line.match?(/^\s*gem\s+['"]#{name}['"]/)
+            parts = line.strip.split(",").map(&:strip)
+            gem_declaration = parts[0]
+            "#{gem_declaration}, '#{version}'\n"
+          else
+            line
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundle/patch/gemfile_updater.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Bundle
+  module Patch
+    class GemfileUpdater
+      def self.update(gemfile_path:, advisories:)
+        contents = File.read(gemfile_path)
+        updated = false
+
+        advisories.each do |adv|
+          name = adv["name"]
+          min_safe_version = adv["required_version"]
+          next unless min_safe_version
+
+          # This regex matches lines like: gem 'somegem', '1.2.3'
+          regex = /^(\s*gem\s+["']#{Regexp.escape(name)}["']\s*,\s*)["'][^"']*["'](.*)$/
+
+          contents.gsub!(regex) do
+            updated = true
+            "#{$1}\"#{min_safe_version}\"#{$2}"
+          end
+        end
+
+        if updated
+          File.write(gemfile_path, contents)
+          puts "📝 Updated Gemfile with patched versions"
+        else
+          puts "✅ No existing Gemfile entries needed updating"
+        end
+      end
+    end
+  end
+end

data/lib/bundle/patch/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Bundle
+  module Patch
+    VERSION = "0.1.0"
+  end
+end

data/lib/bundle/patch.rb

@@ -0,0 +1,87 @@
+# lib/bundle/patch.rb
+# frozen_string_literal: true
+
+require_relative "patch/version"
+require_relative "patch/bundler_audit_installer"
+require_relative "patch/audit/parser"
+require_relative "patch/gemfile_editor"
+require_relative "patch/gemfile_updater"
+require_relative "patch/config"
+
+module Bundle
+  module Patch
+    def self.start(config = Config.new)
+      BundlerAuditInstaller.ensure_installed!
+      advisories = Audit::Parser.run
+
+      if advisories.empty?
+        puts "🎉 No vulnerabilities found!"
+        return
+      end
+
+      puts "🔒 Found #{advisories.size} vulnerabilities:"
+      patchable = []
+
+      advisories.group_by { |adv| adv.to_h.dig("gem", "name") }.each do |name, gem_advisories|
+        current = gem_advisories.first.to_h.dig("gem", "version")
+        current_version = Gem::Version.new(current)
+
+        # Collect all requirements from advisories
+        all_requirements = gem_advisories.flat_map do |adv|
+          adv.to_h.dig("advisory", "patched_versions").map do |req|
+            Gem::Requirement.new(req) rescue nil
+          end
+        end.compact
+
+        # Find versions that satisfy all requirements
+        candidate_versions = all_requirements
+          .map { |req| best_version_matching(req) }
+          .compact
+          .uniq
+          .select { |v| config.allow_update?(current_version, v) }
+          .sort
+
+        if candidate_versions.any?
+          best_patch = candidate_versions.first
+          title_list = gem_advisories.map { |a| a.to_h.dig("advisory", "title") }.uniq
+          puts "- #{name} (#{current}):"
+          title_list.each { |t| puts "  • #{t}" }
+          puts "  ✅ Patchable → #{best_patch}"
+
+          patchable << { "name" => name, "required_version" => best_patch.to_s }
+        else
+          puts "- #{name} (#{current}):"
+          gem_advisories.each do |adv|
+            puts "  • #{adv.to_h.dig("advisory", "title")}"
+          end
+          puts "  ⚠️  Not patchable (no version satisfies all advisories in current mode)"
+        end
+      end
+
+      if patchable.any?
+        if config.dry_run
+          puts "💡 Skipped Gemfile update and bundle install (dry run)"
+        elsif config.skip_bundle_install
+          puts "💡 Skipped bundle install (per --skip-bundle-install)"
+          GemfileEditor.update!(patchable)
+          GemfileUpdater.update(gemfile_path: "Gemfile", advisories: patchable)
+        else
+          GemfileEditor.update!(patchable)
+          GemfileUpdater.update(gemfile_path: "Gemfile", advisories: patchable)
+          puts "📦 Running `bundle install`..."
+          success = system("bundle install")
+          if success
+            puts "✅ bundle install completed successfully"
+          else
+            puts "❌ bundle install failed. Please run it manually."
+          end
+        end
+      end
+    end
+
+    def self.best_version_matching(req)
+      # Approximate best patch version using upper bound from requirement
+      req.requirements.map { |_, v| v }.compact.min rescue nil
+    end
+  end
+end

data/lib/bundle-patch.rb

@@ -0,0 +1,38 @@
+require "optparse"
+require "bundle/patch"
+
+# Default options
+options = {
+  dry_run: false,
+  mode: "patch"
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: bundle-patch [options]"
+
+  opts.on("--dry-run", "Do not modify files or run bundle install") do
+    options[:dry_run] = true
+  end
+
+  opts.on("--skip-bundle-install", "Update Gemfile but skip running bundle install") do
+    options[:skip_bundle_install] = true
+  end
+
+  opts.on("--mode=MODE", "Update mode: patch (default), minor, all") do |mode|
+    allowed = %w[patch minor all]
+    if allowed.include?(mode)
+      options[:mode] = mode
+    else
+      puts "❌ Invalid mode: #{mode}. Must be one of: #{allowed.join(', ')}"
+      exit 1
+    end
+  end
+end.parse!
+
+config = Bundle::Patch::Config.new(
+  dry_run: options[:dry_run],
+  mode: options[:mode],
+  skip_bundle_install: options[:skip_bundle_install]
+)
+
+Bundle::Patch.start(config)

data/sig/bundle/patch.rbs

@@ -0,0 +1,6 @@
+module Bundle
+  module Patch
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: bundle-patch
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- rishijain
+bindir: exe
+cert_chain: []
+date: 2025-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+description: bundle-patch is a CLI tool that detects vulnerable gems in your Gemfile
+  and automatically upgrades them to a patchable version based on your configured
+  strategy (patch/minor/all). Uses bundler-audit under the hood.
+email:
+- jainrishi.37@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/bundle-patch.rb
+- lib/bundle/patch.rb
+- lib/bundle/patch/audit/advisory.rb
+- lib/bundle/patch/audit/parser.rb
+- lib/bundle/patch/bundler_audit_installer.rb
+- lib/bundle/patch/config.rb
+- lib/bundle/patch/gemfile_editor.rb
+- lib/bundle/patch/gemfile_updater.rb
+- lib/bundle/patch/version.rb
+- sig/bundle/patch.rbs
+homepage: https://github.com/rishijain/bundle-patch
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/rishijain/bundle-patch
+  source_code_uri: https://github.com/rishijain/bundle-patch
+  changelog_uri: https://github.com/rishijain/bundle-patch/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.2
+specification_version: 4
+summary: Automatically patch vulnerable gems using bundler-audit
+test_files: []