bundler-integrity 1.0.3 → 1.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/bundler-integrity +30 -23
- metadata +5 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4fd843d6b07239f0bae53bd215e4ab4e746d7431a6e91a7b980f60a11a98a973
|
4
|
+
data.tar.gz: 3526ff1ff2f66ca1706c5fe1cff1e36f2d8dc8c625f329b173946681d00b986d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d5c31e164a25119cd9cab0221b24289854b5b4ade69cbe52872745b2dc0e30c6f3806ac205102ed2ffdb35b6701f2326649d1c4f91f2e327b4253687234b9c69
|
7
|
+
data.tar.gz: '09672e79a915eb5c6008dd69d26000954ba4fe8c62c70a8289cc3a7bdc6ed9ce4ff1916c6749a6c25a53a143b5257d98062742dfb387751f5abab20a8c0ede11'
|
data/bin/bundler-integrity
CHANGED
@@ -10,6 +10,10 @@ require 'json'
|
|
10
10
|
require 'open-uri'
|
11
11
|
require 'digest/sha2'
|
12
12
|
|
13
|
+
# This will only print gem files full names and their expected checksums WITHOUT validating
|
14
|
+
# Useful to export and run search and comparison in prod, etc
|
15
|
+
PRINT_EXPORT = (ARGV[0] == 'export')
|
16
|
+
|
13
17
|
# Packages cache paths candidates (we will check all)
|
14
18
|
CACHE_DIRS = [
|
15
19
|
Bundler::RubygemsIntegration.new.gem_cache,
|
@@ -23,7 +27,6 @@ deps = ::Bundler::Definition
|
|
23
27
|
.build(Bundler.default_gemfile, Bundler.default_lockfile, nil)
|
24
28
|
.tap(&:validate_runtime!)
|
25
29
|
|
26
|
-
|
27
30
|
deps.specs.each do |spec|
|
28
31
|
# Ignore git based, etc
|
29
32
|
next unless spec.source.is_a?(Bundler::Source::Rubygems)
|
@@ -50,35 +53,39 @@ deps.specs.each do |spec|
|
|
50
53
|
|
51
54
|
version || raise("#{full_name} not found in the RubyGems API response")
|
52
55
|
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
+
if PRINT_EXPORT
|
57
|
+
puts "#{version.fetch('sha')} #{full_name}"
|
58
|
+
else
|
59
|
+
candidates = CACHE_DIRS
|
60
|
+
.map { |dir| File.join(dir, full_name) }
|
61
|
+
.select { |path| File.exist?(path) }
|
56
62
|
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
63
|
+
if candidates.empty?
|
64
|
+
puts "\033[0;33m[WARN]\033[0m #{full_name} was not found in cache locations, maybe it is a stdlib gem?"
|
65
|
+
next
|
66
|
+
end
|
61
67
|
|
62
|
-
|
63
|
-
|
68
|
+
candidates.each do |full_path|
|
69
|
+
sha = Digest::SHA2.new
|
64
70
|
|
65
|
-
|
66
|
-
|
67
|
-
|
71
|
+
File.open(full_path) do |f|
|
72
|
+
while chunk = f.read(256)
|
73
|
+
sha << chunk
|
74
|
+
end
|
68
75
|
end
|
69
|
-
end
|
70
76
|
|
71
77
|
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
78
|
+
if version.fetch('sha') == sha.hexdigest
|
79
|
+
puts "\033[0;32m[OK]\033[0m #{full_path}"
|
80
|
+
else
|
81
|
+
puts "\033[0;31m[FAILURE]\033[0m"
|
82
|
+
puts "Checksum verification for #{full_path} failed!"
|
77
83
|
|
78
|
-
|
84
|
+
exit 1
|
85
|
+
end
|
79
86
|
end
|
87
|
+
|
88
|
+
puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
|
89
|
+
puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
|
80
90
|
end
|
81
91
|
end
|
82
|
-
|
83
|
-
puts "\033[0;32m[OK]\033[0m Congratulations, you're safe and sound!"
|
84
|
-
puts "\033[0;32m[OK]\033[0m Maciej Mensfeld and the WhiteSource team wishes you a good day!"
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bundler-integrity
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Maciej Mensfeld
|
@@ -10,8 +10,9 @@ bindir: bin
|
|
10
10
|
cert_chain: []
|
11
11
|
date: 2022-05-11 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
|
-
description: Gem to verify integrity of packages installed via Bundler
|
14
|
-
|
13
|
+
description: "Gem to verify integrity of packages installed via Bundler.\n\n It allows
|
14
|
+
to detect packages that were tampered with or replaced via cache poison or replaced.\n\n
|
15
|
+
\ Add it to your Gemfile and run bundle exec bundler-integrity.\n\n "
|
15
16
|
email:
|
16
17
|
- maciej@mensfeld.pl
|
17
18
|
executables:
|
@@ -24,7 +25,7 @@ homepage: https://whitesourcesoftware.com
|
|
24
25
|
licenses:
|
25
26
|
- MIT
|
26
27
|
metadata:
|
27
|
-
source_code_uri: https://github.com/diffend/bundler-integrity
|
28
|
+
source_code_uri: https://github.com/diffend-io/bundler-integrity
|
28
29
|
rubygems_mfa_required: 'true'
|
29
30
|
post_install_message:
|
30
31
|
rdoc_options: []
|