RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0.1 - Mend

bundler-audit 0.7.0.1 → 0.9.0.1

Files changed (612) hide show

data/lib/bundler/audit/advisory.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,13 +12,16 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 require 'yaml'
 module Bundler
   module Audit
+    #
+    # Represents an advisory loaded from the {Database}.
+    #
     class Advisory < Struct.new(:path,
                                 :id,
                                 :url,
@@ -45,7 +48,14 @@ module Bundler
       #
       def self.load(path)
         id   = File.basename(path).chomp('.yml')
-        data = YAML.load_file(path)
+        data = File.open(path) do |yaml|
+                 if Psych::VERSION >= '3.1.0'
+                   YAML.safe_load(yaml, permitted_classes: [Date])
+                 else
+                   # XXX: psych < 3.1.0 YAML.safe_load calling convention
+                   YAML.safe_load(yaml, [Date])
+                 end
+               end
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
@@ -121,7 +131,7 @@ module Bundler
       #
       # Determines how critical the vulnerability is.
       #
-      # @return [:none, :low, :medium, :high, :critical]
+      # @return [:none, :low, :medium, :high, :critical, nil]
       #   The criticality of the vulnerability based on the CVSS score.
       #
       def criticality
@@ -189,6 +199,28 @@ module Bundler
         !patched?(version) && !unaffected?(version)
       end
+      #
+      # Compares two advisories.
+      #
+      # @param [Advisory] other
+      #
+      # @return [Boolean]
+      #
+      def ==(other)
+        id == other.id
+      end
+      #
+      # Converts the advisory to a Hash.
+      #
+      # @return [Hash{Symbol => Object}]
+      #
+      def to_h
+        super.merge({
+          criticality: criticality
+        })
+      end
       alias to_s id
     end

data/lib/bundler/audit/cli/formats/json.rb ADDED Viewed

@@ -0,0 +1,65 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'thor'
+require 'json'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        #
+        # The JSON output format.
+        #
+        module JSON
+          #
+          # Outputs the report as JSON. Will pretty-print JSON if `output`
+          # is a TTY, otherwise normal JSON will be outputted.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   The output stream.
+          #
+          def print_report(report,output=$stdout)
+            hash = report.to_h
+            if output.tty?
+              output.puts(::JSON.pretty_generate(hash))
+            else
+              output.write(::JSON.generate(hash))
+            end
+          end
+          def criticality_label(advisory)
+            case advisory.criticality
+            when :none     then "none"
+            when :low      then "low"
+            when :medium   then "medium"
+            when :high     then "high"
+            when :critical then "critical"
+            else "unknown"
+            end
+          end
+        end
+        Formats.register :json, JSON
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats/junit.rb ADDED Viewed

@@ -0,0 +1,127 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'thor'
+require 'cgi'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Junit
+          #
+          # Prints any findings as an XML junit report.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report, output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+            print_xml_testsuite(report) do
+              report.each do |result|
+                print_xml_testcase(result)
+              end
+            end
+            $stdout = original_stdout
+          end
+          private
+          def say_xml(*lines)
+            say(lines.join($/))
+          end
+          def print_xml_testsuite(report)
+            say_xml(
+              %{<?xml version="1.0" encoding="UTF-8" ?>},
+              %{<testsuites id="#{Time.now.to_i}" name="Bundle Audit">},
+              %{  <testsuite id="Gemfile" name="Ruby Gemfile" failures="#{report.count}">}
+            )
+            yield
+            say_xml(
+              %{  </testsuite>},
+              %{</testsuites>}
+            )
+          end
+          def xml(string)
+            CGI.escapeHTML(string.to_s)
+          end
+          def print_xml_testcase(result)
+            case result
+            when Results::InsecureSource
+              say_xml(
+                %{    <testcase id="#{xml(result.source)}" name="Insecure Source URI found: #{xml(result.source)}">},
+                %{      <failure message="Insecure Source URI found: #{xml(result.source)}" type="Unknown"></failure>},
+                %{    </testcase>}
+              )
+            when Results::UnpatchedGem
+              say_xml(
+                %{    <testcase id="#{xml(result.gem.name)}" name="#{xml(bundle_title(result))}">},
+                %{      <failure message="#{xml(result.advisory.title)}" type="#{xml(result.advisory.criticality)}">},
+                %{        Name: #{xml(result.gem.name)}},
+                %{        Version: #{xml(result.gem.version)}},
+                %{        Advisory: #{xml(advisory_ref(result.advisory))}},
+                %{        Criticality: #{xml(advisory_criticality(result.advisory))}},
+                %{        URL: #{xml(result.advisory.url)}},
+                %{        Title: #{xml(result.advisory.title)}},
+                %{        Solution: #{xml(advisory_solution(result.advisory))}},
+                %{      </failure>},
+                %{    </testcase>}
+              )
+            end
+          end
+          def bundle_title(result)
+            "#{advisory_criticality(result.advisory).upcase} #{result.gem.name}(#{result.gem.version}) #{result.advisory.title}"
+          end
+          def advisory_solution(advisory)
+            unless advisory.patched_versions.empty?
+              "upgrade to #{advisory.patched_versions.join(', ')}"
+            else
+              "remove or disable this gem until a patch is available!"
+            end
+          end
+          def advisory_criticality(advisory)
+            if advisory.criticality
+              advisory.criticality.to_s.capitalize
+            else
+              "Unknown"
+            end
+          end
+          def advisory_ref(advisory)
+            advisory.identifiers.join(" ")
+          end
+          Formats.register :junit, Junit
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats/text.rb ADDED Viewed

@@ -0,0 +1,122 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'thor'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        #
+        # The plain-text output format.
+        #
+        module Text
+          #
+          # Prints any findings as plain-text.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report,output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+            report.each do |result|
+              case result
+              when Results::InsecureSource
+                print_warning "Insecure Source URI found: #{result.source}"
+              when Results::UnpatchedGem
+                print_advisory result.gem, result.advisory
+              end
+            end
+            if report.vulnerable?
+              say "Vulnerabilities found!", :red
+            else
+              say("No vulnerabilities found", :green) unless options.quiet?
+            end
+            $stdout = original_stdout
+          end
+          private
+          def print_warning(message)
+            say message, :yellow
+          end
+          def print_advisory(gem, advisory)
+            say "Name: ", :red
+            say gem.name
+            say "Version: ", :red
+            say gem.version
+            if advisory.cve
+              say "CVE: ", :red
+              say advisory.cve_id
+            end
+            if advisory.ghsa
+              say "GHSA: ", :red
+              say advisory.ghsa_id
+            end
+            say "Criticality: ", :red
+            case advisory.criticality
+            when :none     then say "None"
+            when :low      then say "Low"
+            when :medium   then say "Medium", :yellow
+            when :high     then say "High", [:red, :bold]
+            when :critical then say "Critical", [:red, :bold]
+            else                say "Unknown"
+            end
+            say "URL: ", :red
+            say advisory.url
+            if options.verbose?
+              say "Description:", :red
+              say
+              print_wrapped advisory.description, indent: 2
+              say
+            else
+              say "Title: ", :red
+              say advisory.title
+            end
+            unless advisory.patched_versions.empty?
+              say "Solution: upgrade to ", :red
+              say advisory.patched_versions.join(', ')
+            else
+              say "Solution: ", :red
+              say "remove or disable this gem until a patch is available!", [:red, :bold]
+            end
+            say
+          end
+        end
+        Formats.register :text, Text
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats.rb ADDED Viewed

@@ -0,0 +1,148 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'thor'
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      #
+      # {Bundler::Audit::CLI} supports outputting it's audit results as
+      # {Bundler::Audit::CLI::Formats::Text text} or
+      # {Bundler::Audit::CLI::Formats::JSON JSON}, by default.
+      #
+      # ## API
+      #
+      # {Bundler::Audit::CLI} formats are really just modules defined under
+      # {Bundler::Audit::CLI::Formats}, that define a `#print_report` entry
+      # method. When the `#print_report` method is called it will be passed a
+      # {Bundler::Audit::Report report} object and an optional `output`
+      # stream, which may be either `$stdout` or a `File` object.
+      #
+      # {Bundler::Audit::CLI} will load a format by first calling
+      # {Formats.load}, which attempts to require the
+      # `bundler/audit/cli/formats/#{format}.rb` file, then gets the registered
+      # format module using {Formats.[]}.
+      # If the format module has been successfully loaded, it will be extended
+      # into the {Bundler::Audit::CLI} instance method access to
+      # {Bundler::Audit::CLI}'s instance methods.
+      #
+      # ## Custom Formats
+      #
+      # To define a custom format, it...
+      #
+      # * MUST be defined in a file in a
+      # `lib/bundler/audit/cli/formats/` directory.
+      # * MUST define a `print_report(report,output=$stdout)` instance method.
+      # * MUST register themselves by calling {Formats.register} at the end
+      #   of the file.
+      #
+      # ### Example
+      #
+      #     # lib/bundler/audit/cli/formats/my_format.rb
+      #     module Bundler
+      #       module Audit
+      #         class CLI < ::Thor
+      #           module Formats
+      #             module MyFormat
+      #               def print_report(report,output=$stdout)
+      #                 # ...
+      #               end
+      #             end
+      #
+      #             Formats.register :my_format, MyFormat
+      #           end
+      #         end
+      #       end
+      #     end
+      #
+      module Formats
+        class FormatNotFound < RuntimeError
+        end
+        # Directory where format modules are loaded from.
+        DIR = 'bundler/audit/cli/formats'
+        @registry = {}
+        #
+        # Registers a format with the given format name.
+        #
+        # @param [Symbol, String] name
+        #
+        # @param [Module#print_results] format
+        #   The format object.
+        #
+        # @raise [NotImplementedError]
+        #   The format object does not respond to `#call`.
+        #
+        # @api public
+        #
+        def self.register(name,format)
+          unless format.instance_methods.include?(:print_report)
+            raise(NotImplementedError,"#{format.inspect} does not define #print_report")
+          end
+          @registry[name.to_sym] = format
+        end
+        #
+        # Retrieves the format by name.
+        #
+        # @param [String, Symbol] name
+        #
+        # @return [Module#print_results, nil]
+        #   The format registered with the given name or `nil`.
+        #
+        def self.[](name)
+          @registry[name.to_sym]
+        end
+        #
+        # Loads the format with the given name by attempting to require
+        # `bundler/audit/cli/formats/#{name}` and returning the registered
+        # format using {[]}.
+        #
+        # @param [#to_s] name
+        #
+        # @return [Module#print_results]
+        #
+        # @raise [FormatNotFound]
+        #   No format exists with that given name.
+        #
+        def self.load(name)
+          name = name.to_s
+          path = File.join(DIR,File.basename(name))
+          begin
+            require path
+          rescue LoadError
+            raise(FormatNotFound,"could not load format #{name.inspect}")
+          end
+          unless (format = self[name])
+            raise(FormatNotFound,"unknown format #{name.inspect}")
+          end
+          return  format
+        end
+      end
+    end
+  end
+end
+require 'bundler/audit/cli/formats/text'

data/lib/bundler/audit/cli/thor_ext/shell/basic/say_error.rb ADDED Viewed

@@ -0,0 +1,33 @@
+class Thor
+  module Shell
+    class Basic
+      #
+      # Prints an error message to `stderr`.
+      #
+      # @param [String] message
+      #   The message to print to `stderr`.
+      #
+      # @param [Symbol, nil] color
+      #   Optional ANSI color.
+      #
+      # @param [Boolean] force_new_line
+      #   Controls whether a newline character will be appended to the output.
+      #
+      def say_error(message,color=nil,force_new_line=(message.to_s !~ /( |\t)\Z/))
+        return if quiet?
+        buffer = prepare_message(message,*color)
+        buffer << $/ if force_new_line && !message.to_s.end_with?($/)
+        stderr.print(buffer)
+        stderr.flush
+      end
+    end
+    module_eval <<-METHOD, __FILE__, __LINE__ + 1
+      def say_error(*args,&block)
+        shell.say_error(*args,&block)
+      end
+    METHOD
+  end
+end