bundler-advise 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 87d25bc27eacc044d69d52b6fcf8d083368e9844
+  data.tar.gz: 8646a541b6fdfd2dcb885ed5022be618dba86d1f
+SHA512:
+  metadata.gz: becf54f63bde517c9b5219167efb76b19317e232e94de7ce608a4c8e60f464bd19d8469909faab75f95defe128f2fd66ed16cb351265740a830fd46ecaab5e4c
+  data.tar.gz: 750a49c7cb0f56c14a76fb85f16fe46e682760f19f578b832704074b248f91515201927c4ea5595e60c75ce0fdd0482b1c8e0f7100e3e675cfbd4b9d5412dc6e

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/bin/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--backtrace

data/.ruby-version

@@ -0,0 +1 @@
+2.2.4

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.4
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in bundler-advise.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 cLabs, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,62 @@
+# Bundler::Advise
+
+Scans a Gemfile looking for known vulnerable gems.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'bundler-advise'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install bundler-advise
+
+## Goal
+
+The intent of this gem is to provide a library alternate to `bundler-audit` with an MIT license. The intent of
+`bundler-audit` is to be a [standalone utility](https://github.com/rubysec/bundler-audit/issues/9),
+`bundler-advise` can be integrated into other codebases without concerns over GPLv3 licensing.
+
+Both tools fetch and parse the contents of the [ruby-advisory-db](rubysec/ruby-advisory-db.git). `bundle-advise`
+has no CLI, does not scan for insecure sources, but does support custom advisory databases that match the interface
+of the data in ruby-advisory-db, for organizations that want to maintain an internal database for private gems.
+
+## Usage
+
+```ruby
+    require 'bundler/advise'
+
+    # Presuming the default ruby-advisory-db on github.com and Dir.pwd is set to
+    # project root, containing the project's Gemfile.lock
+    advisories = Bundler::Advise::GemAdviser.new.scan_lockfile
+
+    # To change the directory:
+    advisories = Bundler::Advise::GemAdviser.new(dir: other_project_dir).scan_lockfile
+
+    # To use a custom advisory db:
+    db = Bundler::Advise::Advisories.new(dir: my_custom_db_path, repo: custom_git_url)
+    advisories = Bundler::Advise::GemAdviser.new(advisories: db).scan_lockfile
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/chrismo/bundler-advise.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "bundler/advise"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "pry"
+Pry.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bundler-advise.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'bundler/advise/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'bundler-advise'
+  spec.version       = Bundler::Advise::VERSION
+  spec.authors       = ['chrismo']
+  spec.email         = ['chrismo@clabs.org']
+
+  spec.summary       = %q{Scans Gemfile for known vulnerable gems.}
+  # spec.description   = %q{TODO: Write a longer description or delete this line.}
+  spec.homepage      = 'https://github.com/chrismo/bundler-advise'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'git'
+  spec.add_dependency 'bundler', '~> 1.10'
+
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+end

data/lib/bundler/advise/advisories.rb

@@ -0,0 +1,44 @@
+require 'git'
+
+module Bundler::Advise
+  class Advisories
+    attr_reader :dir, :repo
+
+    def initialize(dir: File.expand_path('~/.ruby-advisory-db'),
+                   repo: 'git@github.com:rubysec/ruby-advisory-db.git')
+      @dir = dir
+      @repo = repo
+    end
+
+    def update
+      File.exist?(@dir) ? pull : clone
+    rescue ArgumentError => e
+      # git gem is dorky in this case, putting the path into the backtrace.
+      msg = "Unexpected problem with working dir for advisories: #{e.message} #{e.backtrace}.\n" +
+        "Call clean_update! to remove #{@dir} and re-clone it."
+      raise RuntimeError, msg
+    end
+
+    def clean_update!
+      FileUtils.rmtree @dir
+      update
+    end
+
+    def gem_advisories_for(gem_name)
+      Dir[File.join(@dir, 'gems', gem_name, '*.yml')].map do |ad_yml|
+        Advisory.from_yml(ad_yml)
+      end
+    end
+
+    private
+
+    def clone
+      Git.clone(@repo, @dir)
+    end
+
+    def pull
+      git = Git.open(@dir)
+      git.pull
+    end
+  end
+end

data/lib/bundler/advise/advisory.rb

@@ -0,0 +1,51 @@
+require 'yaml'
+
+module Bundler::Advise
+  class Advisory
+    def self.from_yml(yml_filename)
+      id = File.basename(yml_filename, '.yml')
+      new(YAML.load(File.read(yml_filename)).tap { |h| h[:id] = id })
+    end
+
+    def self.fields
+      [:gem, :cve, :cvss_v2, :date, :description, :framework, :osvdb, :patched_versions,
+       :platform, :related, :title, :unaffected_versions, :url, :vendor_patch]
+    end
+
+    attr_reader *self.fields, :id
+
+    def initialize(fields={})
+      fields.each do |k, v|
+        instance_variable_set("@#{k}", v)
+      end
+    end
+
+    def to_yaml
+      self.class.fields.reduce({}) { |h, f| v = instance_variable_get("@#{f}"); h[f.to_s] = v if v; h }.to_yaml
+    end
+
+    def unaffected_versions
+      Array(@unaffected_versions).map { |v| Gem::Requirement.create(v) }
+    end
+
+    def patched_versions
+      Array(@patched_versions).map { |v| Gem::Requirement.create(v) }
+    end
+
+    def is_affected?(gem_version)
+      is_not_patched?(gem_version) && is_not_unaffected?(gem_version)
+    end
+
+    def is_not_patched?(gem_version)
+      patched_versions.detect do |pv|
+        pv.satisfied_by?(Gem::Version.create(gem_version))
+      end.nil?
+    end
+
+    def is_not_unaffected?(gem_version)
+      unaffected_versions.detect do |pv|
+        pv.satisfied_by?(Gem::Version.create(gem_version))
+      end.nil?
+    end
+  end
+end

data/lib/bundler/advise/gem_adviser.rb

@@ -0,0 +1,23 @@
+require 'bundler/lockfile_parser'
+
+module Bundler::Advise
+  class GemAdviser
+    def initialize(advisories: Advisories.new, dir: Dir.pwd)
+      @advisories = advisories
+      @dir = dir
+      scan_lockfile
+    end
+
+    def scan_lockfile
+      lockfile = nil
+      Dir.chdir(@dir) do
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file('Gemfile.lock'))
+      end
+      lockfile.specs.map do |spec|
+        @advisories.gem_advisories_for(spec.name).select do |ad|
+          ad.is_affected?(spec.version)
+        end
+      end.flatten
+    end
+  end
+end

data/lib/bundler/advise/version.rb

@@ -0,0 +1,5 @@
+module Bundler
+  module Advise
+    VERSION = '1.0.0'
+  end
+end

data/lib/bundler/advise.rb

@@ -0,0 +1,5 @@
+require_relative 'advise/version'
+require_relative 'advise/advisory'
+require_relative 'advise/advisories'
+require_relative 'advise/gem_adviser'
+

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: bundler-advise
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- chrismo
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-03-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: git
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- chrismo@clabs.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- bundler-advise.gemspec
+- lib/bundler/advise.rb
+- lib/bundler/advise/advisories.rb
+- lib/bundler/advise/advisory.rb
+- lib/bundler/advise/gem_adviser.rb
+- lib/bundler/advise/version.rb
+homepage: https://github.com/chrismo/bundler-advise
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Scans Gemfile for known vulnerable gems.
+test_files: []