bundler-integrity 1.0.3 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/bin/bundler-integrity +30 -23
  3. metadata +5 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '019090072dfac7899d403567ec089ba8ec504dd3ec0fac5ef01ffdfbeb5e6eb7'
4
- data.tar.gz: bead107d26fd0fc5727441749da93f4621e46a5c1276dd9b44c40a423ca9cf2c
3
+ metadata.gz: 4fd843d6b07239f0bae53bd215e4ab4e746d7431a6e91a7b980f60a11a98a973
4
+ data.tar.gz: 3526ff1ff2f66ca1706c5fe1cff1e36f2d8dc8c625f329b173946681d00b986d
5
5
  SHA512:
6
- metadata.gz: aeceda2a6eeec85cd72258face6fd9e7a0de6b02adda21307d9520b5e487a9d9e236536f64ca4b26699906c061241c75a00031d5bd28f62eea32c2592cce6c92
7
- data.tar.gz: cdabb6f3a146577ce0968d311e465ec87191a2f08b18b0a5e9878cca980a2a650c3a2cb849c043f9d9432b04729e9e60d06f124b0f22a8c1f0b3bac3381fcdb7
6
+ metadata.gz: d5c31e164a25119cd9cab0221b24289854b5b4ade69cbe52872745b2dc0e30c6f3806ac205102ed2ffdb35b6701f2326649d1c4f91f2e327b4253687234b9c69
7
+ data.tar.gz: '09672e79a915eb5c6008dd69d26000954ba4fe8c62c70a8289cc3a7bdc6ed9ce4ff1916c6749a6c25a53a143b5257d98062742dfb387751f5abab20a8c0ede11'
data/bin/bundler-integrity CHANGED
@@ -10,6 +10,10 @@ require 'json'
10
10
  require 'open-uri'
11
11
  require 'digest/sha2'
12
12
 
13
+ # This will only print gem files full names and their expected checksums WITHOUT validating
14
+ # Useful to export and run search and comparison in prod, etc
15
+ PRINT_EXPORT = (ARGV[0] == 'export')
16
+
13
17
  # Packages cache paths candidates (we will check all)
14
18
  CACHE_DIRS = [
15
19
  Bundler::RubygemsIntegration.new.gem_cache,
@@ -23,7 +27,6 @@ deps = ::Bundler::Definition
23
27
  .build(Bundler.default_gemfile, Bundler.default_lockfile, nil)
24
28
  .tap(&:validate_runtime!)
25
29
 
26
-
27
30
  deps.specs.each do |spec|
28
31
  # Ignore git based, etc
29
32
  next unless spec.source.is_a?(Bundler::Source::Rubygems)
@@ -50,35 +53,39 @@ deps.specs.each do |spec|
50
53
 
51
54
  version || raise("#{full_name} not found in the RubyGems API response")
52
55
 
53
- candidates = CACHE_DIRS
54
- .map { |dir| File.join(dir, full_name) }
55
- .select { |path| File.exist?(path) }
56
+ if PRINT_EXPORT
57
+ puts "#{version.fetch('sha')} #{full_name}"
58
+ else
59
+ candidates = CACHE_DIRS
60
+ .map { |dir| File.join(dir, full_name) }
61
+ .select { |path| File.exist?(path) }
56
62
 
57
- if candidates.empty?
58
- puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
59
- next
60
- end
63
+ if candidates.empty?
64
+ puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
65
+ next
66
+ end
61
67
 
62
- candidates.each do |full_path|
63
- sha = Digest::SHA2.new
68
+ candidates.each do |full_path|
69
+ sha = Digest::SHA2.new
64
70
 
65
- File.open(full_path) do |f|
66
- while chunk = f.read(256)
67
- sha << chunk
71
+ File.open(full_path) do |f|
72
+ while chunk = f.read(256)
73
+ sha << chunk
74
+ end
68
75
  end
69
- end
70
76
 
71
77
 
72
- if version.fetch('sha') == sha.hexdigest
73
- puts "\033[0;32m[OK]\033[0m #{full_path}"
74
- else
75
- puts "\033[0;31m[FAILURE]\033[0m"
76
- puts "Checksum verification for #{full_path} failed!"
78
+ if version.fetch('sha') == sha.hexdigest
79
+ puts "\033[0;32m[OK]\033[0m #{full_path}"
80
+ else
81
+ puts "\033[0;31m[FAILURE]\033[0m"
82
+ puts "Checksum verification for #{full_path} failed!"
77
83
 
78
- exit 1
84
+ exit 1
85
+ end
79
86
  end
87
+
88
+ puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
89
+ puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
80
90
  end
81
91
  end
82
-
83
- puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
84
- puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bundler-integrity
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.3
4
+ version: 1.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Maciej Mensfeld
@@ -10,8 +10,9 @@ bindir: bin
10
10
  cert_chain: []
11
11
  date: 2022-05-11 00:00:00.000000000 Z
12
12
  dependencies: []
13
- description: Gem to verify integrity of packages installed via Bundler. Add it to
14
- your Gemfile and run bundle exec bundler-integrity
13
+ description: "Gem to verify integrity of packages installed via Bundler.\n\n It allows
14
+ to detect packages that were tampered with or replaced via cache poison or replaced.\n\n
15
+ \ Add it to your Gemfile and run bundle exec bundler-integrity.\n\n "
15
16
  email:
16
17
  - maciej@mensfeld.pl
17
18
  executables:
@@ -24,7 +25,7 @@ homepage: https://whitesourcesoftware.com
24
25
  licenses:
25
26
  - MIT
26
27
  metadata:
27
- source_code_uri: https://github.com/diffend/bundler-integrity
28
+ source_code_uri: https://github.com/diffend-io/bundler-integrity
28
29
  rubygems_mfa_required: 'true'
29
30
  post_install_message:
30
31
  rdoc_options: []