bundler-audit 0.6.1 → 0.9.0.1

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,140 +12,166 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/scanner'
 require 'bundler/audit/version'
+require 'bundler/audit/cli/formats'
 
 require 'thor'
+require 'bundler/audit/cli/thor_ext/shell/basic/say_error'
 require 'bundler'
-require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
+    #
+    # The `bundle-audit` command.
+    #
     class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
 
-      desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
-      method_option :verbose, :type => :boolean, :aliases => '-v'
-      method_option :ignore, :type => :array, :aliases => '-i'
-      method_option :update, :type => :boolean, :aliases => '-u'
+      desc 'check [DIR]', 'Checks the Gemfile.lock for insecure dependencies'
+      method_option :quiet, type: :boolean, aliases: '-q'
+      method_option :verbose, type: :boolean, aliases: '-v'
+      method_option :ignore, type: :array, aliases: '-i'
+      method_option :update, type: :boolean, aliases: '-u'
+      method_option :database, type: :string, aliases: '-D',
+                               default: Database::USER_PATH
+      method_option :format, type: :string, default: 'text', aliases: '-F'
+      method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
+      method_option :gemfile_lock, type: :string, aliases: '-G',
+                                   default: 'Gemfile.lock'
+      method_option :output, type: :string, aliases: '-o'
+
+      def check(dir=Dir.pwd)
+        unless File.directory?(dir)
+          say_error "No such file or directory: #{dir}", :red
+          exit 1
+        end
 
-      def check
-        update if options[:update]
+        begin
+          extend Formats.load(options[:format])
+        rescue Formats::FormatNotFound
+          say_error "Unknown format: #{options[:format]}", :red
+          exit 1
+        end
 
-        scanner    = Scanner.new
-        vulnerable = false
+        if !Database.exists?(options[:database])
+          download(options[:database])
+        elsif options[:update]
+          update(options[:database])
+        end
 
-        scanner.scan(:ignore => options.ignore) do |result|
-          vulnerable = true
+        database = Database.new(options[:database])
+        scanner  = begin
+                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
+                   rescue Bundler::GemfileLockNotFound => exception
+                     say exception.message, :red
+                     exit 1
+                   end
 
-          case result
-          when Scanner::InsecureSource
-            print_warning "Insecure Source URI found: #{result.source}"
-          when Scanner::UnpatchedGem
-            print_advisory result.gem, result.advisory
-          end
+        report = scanner.report(ignore: options.ignore)
+
+        output = if options[:output] then File.new(options[:output],'w')
+                 else                     $stdout
+                 end
+
+        print_report(report,output)
+
+        output.close if options[:output]
+
+        exit(1) if report.vulnerable?
+      end
+
+      desc 'stats', 'Prints ruby-advisory-db stats'
+      method_option :quiet, type: :boolean, aliases: '-q'
+
+      def stats(path=Database.path)
+        database = Database.new(path)
+
+        puts "ruby-advisory-db:"
+        puts "  advisories:\t#{database.size} advisories"
+        puts "  last updated:\t#{database.last_updated_at}"
+
+        if (commit_id = database.commit_id)
+          puts "  commit:\t#{commit_id}"
         end
+      end
+
+      desc 'download', 'Downloads ruby-advisory-db'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
-        if vulnerable
-          say "Vulnerabilities found!", :red
+      def download(path=Database.path)
+        if Database.exists?(path)
+          say "Database already exists", :yellow
+          return
+        end
+
+        say("Download ruby-advisory-db ...") unless options.quiet?
+
+        begin
+          Database.download(path: path, quiet: options.quiet?)
+        rescue Database::DownloadFailed => error
+          say error.message, :red
           exit 1
-        else
-          say("No vulnerabilities found", :green) unless options.quiet?
         end
+
+        stats(path) unless options.quiet?
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
+
+      def update(path=Database.path)
+        unless Database.exists?(path)
+          download(path)
+          return
+        end
 
-      def update
         say("Updating ruby-advisory-db ...") unless options.quiet?
 
-        case Database.update!(quiet: options.quiet?)
+        database = Database.new(path)
+
+        case database.update!(quiet: options.quiet?)
         when true
           say("Updated ruby-advisory-db", :green) unless options.quiet?
         when false
-          say "Failed updating ruby-advisory-db!", :red
+          say_error "Failed updating ruby-advisory-db!", :red
           exit 1
         when nil
+          unless Bundler.git_present?
+            say_error "Git is not installed!", :red
+            exit 1
+          end
+
           say "Skipping update", :yellow
         end
 
-        unless options.quiet?
-          puts("ruby-advisory-db: #{Database.new.size} advisories")
-        end
+        stats(path) unless options.quiet?
       end
 
       desc 'version', 'Prints the bundler-audit version'
       def version
-        database = Database.new
-
-        puts "#{File.basename($0)} #{VERSION} (advisories: #{database.size})"
+        puts "bundler-audit #{VERSION}"
       end
 
       protected
 
-      def say(message="", color=nil)
-        color = nil unless $stdout.tty?
-        super(message.to_s, color)
+      #
+      # @note Silence deprecation warnings from Thor.
+      #
+      def self.exit_on_failure?
+        true
       end
 
-      def print_warning(message)
-        say message, :yellow
-      end
-
-      def print_advisory(gem, advisory)
-        say "Name: ", :red
-        say gem.name
-
-        say "Version: ", :red
-        say gem.version
-
-        say "Advisory: ", :red
-
-        if advisory.cve
-          say "CVE-#{advisory.cve}"
-        elsif advisory.osvdb
-          say advisory.osvdb
-        end
-
-        say "Criticality: ", :red
-        case advisory.criticality
-        when :low    then say "Low"
-        when :medium then say "Medium", :yellow
-        when :high   then say "High", [:red, :bold]
-        else              say "Unknown"
-        end
-
-        say "URL: ", :red
-        say advisory.url
-
-        if options.verbose?
-          say "Description:", :red
-          say
-
-          print_wrapped advisory.description, :indent => 2
-          say
-        else
-
-          say "Title: ", :red
-          say advisory.title
-        end
-
-        unless advisory.patched_versions.empty?
-          say "Solution: upgrade to ", :red
-          say advisory.patched_versions.join(', ')
-        else
-          say "Solution: ", :red
-          say "remove or disable this gem until a patch is available!", [:red, :bold]
-        end
-
-        say
+      #
+      # @abstract
+      #
+      def print_report(report)
+        raise(NotImplementedError,"#{self.class}##{__method__} not defined")
       end
 
     end

data/lib/bundler/audit/configuration.rb

@@ -0,0 +1,108 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'yaml'
+require 'set'
+
+module Bundler
+  module Audit
+    #
+    # Class for storing and validating configuration for running the auditor.
+    #
+    # @since 0.8.0
+    #
+    class Configuration
+      class InvalidConfigurationError < StandardError
+      end
+
+      class FileNotFound < StandardError
+      end
+
+      #
+      # A constructor method for loading configuration from a YAML file.
+      #
+      # @param [String] file_path
+      #   Path to the YAML file holding the configuration.
+      #
+      # @raise [FileNotFound]
+      #   Will raise a file not found error when the path to the
+      #   configuration YAML file does not exist.
+      #
+      # @raise [InvalidConfigurationError]
+      #   Will raise an invalid configuration error indicating what in the
+      #   YAML file is invalid for the configuration.
+      #
+      # @return [Configuration]
+      #   A Configuration object containing the config hash loaded from the
+      #   file passed.
+      #
+      def self.load(file_path)
+        raise(FileNotFound,"Configuration file '#{file_path}' does not exist") unless File.exist?(file_path)
+
+        doc = YAML.parse(File.new(file_path))
+
+        unless doc.kind_of?(YAML::Nodes::Document)
+          raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not YAML")
+        end
+
+        unless doc.root.kind_of?(YAML::Nodes::Mapping)
+          raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not a Hash")
+        end
+
+        config = {}
+
+        doc.root.children.each_slice(2) do |key,value|
+          case key.value
+          when 'ignore'
+            unless value.is_a?(YAML::Nodes::Sequence)
+              raise(InvalidConfigurationError,"'ignore' key found in config file, but is not an Array")
+            end
+
+            unless value.children.all? { |node| node.is_a?(YAML::Nodes::Scalar) }
+              raise(InvalidConfigurationError,"'ignore' array in config file contains a non-String")
+            end
+
+            config[:ignore] = value.children.map(&:value)
+          end
+        end
+
+        new(config)
+      end
+
+      #
+      # The list of advisory IDs to ignore.
+      #
+      # @return [Set<String>]
+      #
+      attr_reader :ignore
+
+      #
+      # Initializes the configuration.
+      #
+      # @param [Hash] config
+      #   The configuration hash.
+      #
+      # @option config [Array<String>] :ignore
+      #   The list of advisory IDs to ignore.
+      #
+      def initialize(config={})
+        @ignore = Set.new(config[:ignore])
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/advisory'
@@ -28,17 +28,22 @@ module Bundler
     #
     class Database
 
-      # Git URL of the ruby-advisory-db
-      URL = 'https://github.com/rubysec/ruby-advisory-db.git'
+      class DownloadFailed < RuntimeError
+      end
 
-      # Default path to the ruby-advisory-db
-      VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
+      class UpdateFailed < RuntimeError
+      end
 
-      # Timestamp for when the database was last updated
-      VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
+      # Git URL of the ruby-advisory-db
+      URL = 'https://github.com/rubysec/ruby-advisory-db.git'
 
       # Path to the user's copy of the ruby-advisory-db
-      USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-advisory-db'))
+      USER_PATH = File.expand_path(File.join(Gem.user_home,'.local','share','ruby-advisory-db'))
+
+      # Default path to the ruby-advisory-db
+      #
+      # @since 0.8.0
+      DEFAULT_PATH = ENV['BUNDLER_AUDIT_DB'] || USER_PATH
 
       # The path to the advisory database
       attr_reader :path
@@ -67,49 +72,176 @@ module Bundler
       #   The path to the database directory.
       #
       def self.path
-        if File.directory?(USER_PATH)
-          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
-          t2 = VENDORED_TIMESTAMP
+        DEFAULT_PATH
+      end
 
-          if t1 >= t2 then USER_PATH
-          else             VENDORED_PATH
-          end
-        else
-          VENDORED_PATH
+      #
+      # Tests whether the database exists.
+      #
+      # @param [String] path
+      #   The given path of the database to check.
+      #
+      # @return [Boolean]
+      #
+      # @since 0.8.0
+      #
+      def self.exists?(path=DEFAULT_PATH)
+        File.directory?(path) && !(Dir.entries(path) - %w[. ..]).empty?
+      end
+
+      #
+      # Downloads the ruby-advisory-db.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [String] :path (DEFAULT_PATH)
+      #   The destination path for the new ruby-advisory-db.
+      #
+      # @option options [Boolean] :quiet
+      #   Specify whether `git` should be `--quiet`.
+      #
+      # @return [Dataase]
+      #   The newly downloaded database.
+      #
+      # @raise [DownloadFailed]
+      #   Indicates that the download failed.
+      #
+      # @note
+      #   Requires network access.
+      #
+      # @since 0.8.0
+      #
+      def self.download(options={})
+        unless (options.keys - [:path, :quiet]).empty?
+          raise(ArgumentError,"Invalid option(s)")
+        end
+
+        path = options.fetch(:path,DEFAULT_PATH)
+
+        command = %w[git clone]
+        command << '--quiet' if options[:quiet]
+        command << URL << path
+
+        unless system(*command)
+          raise(DownloadFailed,"failed to download #{URL} to #{path.inspect}")
         end
+
+        return new(path)
       end
 
       #
       # Updates the ruby-advisory-db.
       #
-      # @param [Boolean, quiet]
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Boolean] :quiet
       #   Specify whether `git` should be `--quiet`.
       #
       # @return [Boolean, nil]
       #   Specifies whether the update was successful.
       #   A `nil` indicates no update was performed.
       #
+      # @raise [ArgumentError]
+      #   Invalid options were given.
+      #
       # @note
       #   Requires network access.
       #
       # @since 0.3.0
       #
+      # @deprecated Use {#update!} instead.
+      #
       def self.update!(options={})
         raise "Invalid option(s)" unless (options.keys - [:quiet]).empty?
-        if File.directory?(USER_PATH)
-          if File.directory?(File.join(USER_PATH, ".git"))
-            Dir.chdir(USER_PATH) do
-              command = %w(git pull)
-              command << '--quiet' if options[:quiet]
-              command << 'origin' << 'master'
-              system *command
+
+        if File.directory?(DEFAULT_PATH)
+          begin
+            new(DEFAULT_PATH).update!(options)
+          rescue UpdateFailed then false
+          end
+        else
+          begin
+            download(options.merge(path: DEFAULT_PATH))
+          rescue DownloadFailed then false
+          end
+        end
+      end
+
+      #
+      # Determines if the database is a git repository.
+      #
+      # @return [Boolean]
+      #
+      # @since 0.8.0
+      #
+      def git?
+        File.directory?(File.join(@path,'.git'))
+      end
+
+      #
+      # Updates the ruby-advisory-db.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Boolean] :quiet
+      #   Specify whether `git` should be `--quiet`.
+      #
+      # @return [true, nil]
+      #   `true` indicates that the update was successful.
+      #   `nil` indicates the database is not a git repository, thus not
+      #   capable of being updated.
+      #
+      # @since 0.8.0
+      #
+      def update!(options={})
+        if git?
+          Dir.chdir(@path) do
+            command = %w[git pull]
+            command << '--quiet' if options[:quiet]
+            command << 'origin' << 'master'
+
+            unless system(*command)
+              raise(UpdateFailed,"failed to update #{@path.inspect}")
             end
+
+            return true
+          end
+        end
+      end
+
+      #
+      # The last commit ID of the repository.
+      #
+      # @return [String, nil]
+      #   The commit hash or `nil` if the database is not a git repository.
+      #
+      # @since 0.9.0
+      #
+      def commit_id
+        if git?
+          Dir.chdir(@path) do
+            `git rev-parse HEAD`.chomp
+          end
+        end
+      end
+
+      #
+      # Determines the time when the database was last updated.
+      #
+      # @return [Time]
+      #
+      # @since 0.8.0
+      #
+      def last_updated_at
+        if git?
+          Dir.chdir(@path) do
+            Time.parse(`git log --date=iso8601 --pretty="%cd" -1`)
           end
         else
-          command = %w(git clone)
-          command << '--quiet' if options[:quiet]
-          command << URL << USER_PATH
-          system *command
+          File.mtime(@path)
         end
       end