RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.8.0 - Mend

bundler-audit 0.6.1 → 0.8.0

Files changed (426) hide show

data/lib/bundler/audit/cli.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,10 +17,11 @@
 require 'bundler/audit/scanner'
 require 'bundler/audit/version'
+require 'bundler/audit/cli/formats'
 require 'thor'
+require 'bundler/audit/cli/thor_ext/shell/basic/say_error'
 require 'bundler'
-require 'bundler/vendored_thor'
 module Bundler
   module Audit
@@ -29,123 +30,131 @@ module Bundler
       default_task :check
       map '--version' => :version
-      desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      desc 'check [DIR]', 'Checks the Gemfile.lock for insecure dependencies'
       method_option :quiet, :type => :boolean, :aliases => '-q'
       method_option :verbose, :type => :boolean, :aliases => '-v'
       method_option :ignore, :type => :array, :aliases => '-i'
       method_option :update, :type => :boolean, :aliases => '-u'
+      method_option :database, :type => :string, :aliases => '-D', :default => Database::USER_PATH
+      method_option :format, :type => :string, :default => 'text',
+                             :aliases => '-F'
+      method_option :gemfile_lock, :type => :string, :aliases => '-G', :default => 'Gemfile.lock'
+      method_option :output, :type => :string, :aliases => '-o'
+      def check(dir=Dir.pwd)
+        unless File.directory?(dir)
+          say_error "No such file or directory: #{dir}", :red
+          exit 1
+        end
-      def check
-        update if options[:update]
+        begin
+          extend Formats.load(options[:format])
+        rescue Formats::FormatNotFound
+          say_error "Unknown format: #{options[:format]}", :red
+          exit 1
+        end
-        scanner    = Scanner.new
-        vulnerable = false
+        if !Database.exists?(options[:database])
+          download(options[:database])
+        elsif options[:update]
+          update(options[:database])
+        end
-        scanner.scan(:ignore => options.ignore) do |result|
-          vulnerable = true
+        database = Database.new(options[:database])
+        scanner  = begin
+                     Scanner.new(dir,options[:gemfile_lock],database)
+                   rescue Bundler::GemfileLockNotFound => exception
+                     say exception.message, :red
+                     exit 1
+                   end
+        report   = scanner.report(:ignore => options.ignore)
-          case result
-          when Scanner::InsecureSource
-            print_warning "Insecure Source URI found: #{result.source}"
-          when Scanner::UnpatchedGem
-            print_advisory result.gem, result.advisory
-          end
+        output = if options[:output] then File.new(options[:output],'w')
+                 else                     $stdout
+                 end
+        print_report(report,output)
+        output.close if options[:output]
+        exit(1) if report.vulnerable?
+      end
+      desc 'stats', 'Prints ruby-advisory-db stats'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+      def stats(path=Database.path)
+        database = Database.new(path)
+        puts "ruby-advisory-db:"
+        puts "  advisories:\t#{database.size} advisories"
+        puts "  last updated:\t#{database.last_updated_at}"
+      end
+      desc 'download', 'Downloads ruby-advisory-db'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+      def download(path=Database.path)
+        if Database.exists?(path)
+          say "Database already exists", :yellow
+          return
         end
-        if vulnerable
-          say "Vulnerabilities found!", :red
+        say("Download ruby-advisory-db ...") unless options.quiet?
+        begin
+          Database.download(path: path, quiet: options.quiet?)
+        rescue Database::DownloadFailed => error
+          say error.message, :red
           exit 1
-        else
-          say("No vulnerabilities found", :green) unless options.quiet?
         end
+        stats(path) unless options.quiet?
       end
       desc 'update', 'Updates the ruby-advisory-db'
       method_option :quiet, :type => :boolean, :aliases => '-q'
-      def update
+      def update(path=Database.path)
+        unless Database.exists?(path)
+          download(path)
+          return
+        end
         say("Updating ruby-advisory-db ...") unless options.quiet?
-        case Database.update!(quiet: options.quiet?)
+        database = Database.new(path)
+        case database.update!(quiet: options.quiet?)
         when true
           say("Updated ruby-advisory-db", :green) unless options.quiet?
         when false
-          say "Failed updating ruby-advisory-db!", :red
+          say_error "Failed updating ruby-advisory-db!", :red
           exit 1
         when nil
+          unless Bundler.git_present?
+            say_error "Git is not installed!", :red
+            exit 1
+          end
           say "Skipping update", :yellow
         end
-        unless options.quiet?
-          puts("ruby-advisory-db: #{Database.new.size} advisories")
-        end
+        stats(path) unless options.quiet?
       end
       desc 'version', 'Prints the bundler-audit version'
       def version
-        database = Database.new
-        puts "#{File.basename($0)} #{VERSION} (advisories: #{database.size})"
+        puts "bundler-audit #{VERSION}"
       end
       protected
-      def say(message="", color=nil)
-        color = nil unless $stdout.tty?
-        super(message.to_s, color)
-      end
-      def print_warning(message)
-        say message, :yellow
-      end
-      def print_advisory(gem, advisory)
-        say "Name: ", :red
-        say gem.name
-        say "Version: ", :red
-        say gem.version
-        say "Advisory: ", :red
-        if advisory.cve
-          say "CVE-#{advisory.cve}"
-        elsif advisory.osvdb
-          say advisory.osvdb
-        end
-        say "Criticality: ", :red
-        case advisory.criticality
-        when :low    then say "Low"
-        when :medium then say "Medium", :yellow
-        when :high   then say "High", [:red, :bold]
-        else              say "Unknown"
-        end
-        say "URL: ", :red
-        say advisory.url
-        if options.verbose?
-          say "Description:", :red
-          say
-          print_wrapped advisory.description, :indent => 2
-          say
-        else
-          say "Title: ", :red
-          say advisory.title
-        end
-        unless advisory.patched_versions.empty?
-          say "Solution: upgrade to ", :red
-          say advisory.patched_versions.join(', ')
-        else
-          say "Solution: ", :red
-          say "remove or disable this gem until a patch is available!", [:red, :bold]
-        end
-        say
+      #
+      # @abstract
+      #
+      def print_report(report)
+        raise(NotImplementedError,"#{self.class}##{__method__} not defined")
       end
     end

data/lib/bundler/audit/cli/formats.rb ADDED Viewed

@@ -0,0 +1,144 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+require 'thor'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      #
+      # {Bundler::Audit::CLI} supports outputting it's audit results as
+      # {Bundler::Audit::CLI::Formats::Text text} or
+      # {Bundler::Audit::CLI::Formats::JSON JSON}, by default.
+      #
+      # ## API
+      #
+      # {Bundler::Audit::CLI} formats are really just modules defined under
+      # {Bundler::Audit::CLI::Formats}, that define a `#print_report` entry
+      # method. When the `#print_report` method is called it will be passed a
+      # {Bundler::Audit::Report report} object and an optional `output`
+      # stream, which may be either `$stdout` or a `File` object.
+      #
+      # {Bundler::Audit::CLI} will load a format by first calling
+      # {Formats.load}, which attempts to require the
+      # `bundler/audit/cli/formats/#{format}.rb` file, then gets the registered
+      # format module using {Formats.[]}.
+      # If the format module has been successfully loaded, it will be extended
+      # into the {Bundler::Audit::CLI} instance method access to
+      # {Bundler::Audit::CLI}'s instance methods.
+      #
+      # ## Custom Formats
+      #
+      # To define a custom format, it...
+      #
+      # * MUST be defined in a file in a
+      # `lib/bundler/audit/cli/formats/` directory.
+      # * MUST define a `print_report(report,output=$stdout)` instance method.
+      # * MUST register themselves by calling {Formats.register} at the end
+      #   of the file.
+      #
+      # ### Example
+      #
+      #     # lib/bundler/audit/cli/formats/my_format.rb
+      #     module Bundler
+      #       module Audit
+      #         class CLI < ::Thor
+      #           module Formats
+      #             module MyFormat
+      #               def print_report(report,output=$stdout)
+      #                 # ...
+      #               end
+      #             end
+      #
+      #             Formats.register :my_format, MyFormat
+      #           end
+      #         end
+      #       end
+      #     end
+      #
+      module Formats
+        class FormatNotFound < RuntimeError
+        end
+        # Directory where format modules are loaded from.
+        DIR = 'bundler/audit/cli/formats'
+        @registry = {}
+        #
+        # Registers a format with the given format name.
+        #
+        # @param [Symbol, String] name
+        #
+        # @param [Module#print_results] format
+        #   The format object.
+        #
+        # @raise [NotImplementedError]
+        #   The format object does not respond to `#call`.
+        #
+        # @api public
+        #
+        def self.register(name,format)
+          unless format.instance_methods.include?(:print_report)
+            raise(NotImplementedError,"#{format.inspect} does not define #print_report")
+          end
+          @registry[name.to_sym] = format
+        end
+        #
+        # Retrieves the format by name.
+        #
+        # @param [String, Symbol] name
+        #
+        # @return [Module#print_results, nil]
+        #   The format registered with the given name or `nil`.
+        #
+        def self.[](name)
+          @registry[name.to_sym]
+        end
+        #
+        # Loads the format with the given name by attempting to require
+        # `bundler/audit/cli/formats/#{name}` and returning the registered
+        # format using {[]}.
+        #
+        # @param [#to_s] name
+        #
+        # @return [Module#print_results]
+        #
+        # @raise [FormatNotFound]
+        #   No format exists with that given name.
+        #
+        def self.load(name)
+          name = name.to_s
+          begin
+            require File.join(DIR,File.basename(name))
+          rescue LoadError
+            raise(FormatNotFound,"could not load format #{name.inspect}")
+          end
+          return self[name] || \
+            raise(FormatNotFound,"unknown format #{name.inspect}")
+        end
+      end
+    end
+  end
+end
+require 'bundler/audit/cli/formats/text'

data/lib/bundler/audit/cli/formats/json.rb ADDED Viewed

@@ -0,0 +1,51 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+require 'thor'
+require 'json'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module JSON
+          #
+          # Outputs the report as JSON. Will pretty-print JSON if `output`
+          # is a TTY, otherwise normal JSON will be outputted.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   The output stream.
+          #
+          def print_report(report,output=$stdout)
+            hash = report.to_h
+            if output.tty?
+              output.puts ::JSON.pretty_generate(hash)
+            else
+              output.write(::JSON.generate(hash))
+            end
+          end
+        end
+        Formats.register :json, JSON
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats/text.rb ADDED Viewed

@@ -0,0 +1,118 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+require 'thor'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Text
+          #
+          # Prints any findings as plain-text.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report,output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+            report.each do |result|
+              case result
+              when Results::InsecureSource
+                print_warning "Insecure Source URI found: #{result.source}"
+              when Results::UnpatchedGem
+                print_advisory result.gem, result.advisory
+              end
+            end
+            if report.vulnerable?
+              say "Vulnerabilities found!", :red
+            else
+              say("No vulnerabilities found", :green) unless options.quiet?
+            end
+            $stdout = original_stdout
+          end
+          private
+          def print_warning(message)
+            say message, :yellow
+          end
+          def print_advisory(gem, advisory)
+            say "Name: ", :red
+            say gem.name
+            say "Version: ", :red
+            say gem.version
+            if advisory.cve
+              say "CVE: ", :red
+              say advisory.cve_id
+            end
+            if advisory.ghsa
+              say "GHSA: ", :red
+              say advisory.ghsa_id
+            end
+            say "Criticality: ", :red
+            case advisory.criticality
+            when :low    then say "Low"
+            when :medium then say "Medium", :yellow
+            when :high   then say "High", [:red, :bold]
+            else              say "Unknown"
+            end
+            say "URL: ", :red
+            say advisory.url
+            if options.verbose?
+              say "Description:", :red
+              say
+              print_wrapped advisory.description, :indent => 2
+              say
+            else
+              say "Title: ", :red
+              say advisory.title
+            end
+            unless advisory.patched_versions.empty?
+              say "Solution: upgrade to ", :red
+              say advisory.patched_versions.join(', ')
+            else
+              say "Solution: ", :red
+              say "remove or disable this gem until a patch is available!", [:red, :bold]
+            end
+            say
+          end
+        end
+        Formats.register :text, Text
+      end
+    end
+  end
+end