bundler-organization_audit 0.1.0 → 0.1.2

data/Gemfile

@@ -1,7 +1,7 @@
-source :rubygems
+source "https://rubygems.org"
 gemspec
 
 gem "bump"
 gem "rake"
 gem "rspec", "~>2"
-gem "bundler-audit"
+gem "bundler-audit", :github => "grosser/bundler-audit", :branch => "ignore-version", :submodules => true

data/Gemfile.lock

@@ -1,15 +1,22 @@
+GIT
+  remote: git://github.com/grosser/bundler-audit.git
+  revision: a2d65124650460f525f62c7302629fee4d697413
+  branch: ignore-version
+  submodules: true
+  specs:
+    bundler-audit (0.1.3)
+      bundler (~> 1.2)
+
 PATH
   remote: .
   specs:
-    bundler-organization_audit (0.1.0)
+    bundler-organization_audit (0.1.2)
       json
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
     bump (0.3.9)
-    bundler-audit (0.1.2)
-      bundler (~> 1.2)
     diff-lcs (1.1.3)
     json (1.7.7)
     rake (10.0.3)
@@ -27,7 +34,7 @@ PLATFORMS
 
 DEPENDENCIES
   bump
-  bundler-audit
+  bundler-audit!
   bundler-organization_audit!
   rake
   rspec (~> 2)

data/Readme.md

@@ -1,7 +1,14 @@
 Audit all Gemfiles of a user/organization on Github for unpatched versions
 
+    # simple
     gem install bundler-organization_audit
 
+    # if you want --ignore-cve
+    git clone git://github.com/grosser/bundler-organization_audit.git
+    cd bundler-organization_audit
+    bundle update bundler-audit # get new advisories
+    bundle exec ./bin/bundle-organization-audit ... options ...
+
 Usage
 =====
 
@@ -27,10 +34,10 @@ Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
 Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
 
 Vulnerable:
-https://github.com/grosser/rails_example_app
+https://github.com/grosser/rails_example_app -- Peter Last Committer <peter@last-commit-email.com>
 ```
 
-For someone elese
+For someone else
 ```Bash
 bundle-organization-audit --user grosser
 ```
@@ -40,16 +47,20 @@ Ignore gems (ignores repos that have a %{repo}.gemspec)
 bundle-organization-audit --ignore-gems
 ```
 
-For pipe -> only show vulnerable repos
+Silent:  only show vulnerable repos
 ```
 bundle-organization-audit 2>/dev/null
 ```
 
-Use for CI -> ignore old/unmaintained proejcts
+CI: ignore old/unmaintained proejcts, unfixable/unimportant cves and gems
 ```
 bundle-organization-audit \
   --ignore https://github.com/xxx/a \
   --ignore https://github.com/xxx/b \
+  --ignore-cve 2013-0269@1.5.3 \
+  --ignore-cve '2013-0123@~>3.2.10' \
+  --ignore-cve 2013-0234 \
+  --ignore-gems \
   --organization xxx \
   --token yyy
 ```
@@ -64,8 +75,13 @@ enter your password -> TOKEN
 bundle-organization-audit --user your-user --token TOKEN --organization your-organization
 ```
 
-Dev
-===
+Related
+=======
+ - [holepicker](https://github.com/jsuder/holepicker) does the same check for local projects and running servers
+ - [bundler-audit](https://github.com/postmodern/bundler-audit) check a single local project for vulerabilities
+
+Development
+===========
  - test private repo fetching via `cp spec/private{.example,}.yml` and filling it out
 
 Author

data/bin/bundle-organization-audit

@@ -12,6 +12,7 @@ end
 
 options = {
   :ignore => [],
+  :ignore_cves => [],
   :user => git_config("github.user")
 }
 OptionParser.new do |opts|
@@ -27,6 +28,7 @@ BANNER
   opts.on("--user USER", "Use user") { |user| options[:user] = user }
   opts.on("--ignore REPO_URL", "Ignore given repo urls (use multiple times)") { |repo_url| options[:ignore] << repo_url }
   opts.on("--ignore-gems", "Ignore repos that have a %{repo}.gemspec") { options[:ignore_gems] = true }
+  opts.on("--ignore-cve CVE_NUMBER", "Ignore CVE that you do not want to get warned about just number or number@gem-version") { |cve| options[:ignore_cves] << cve }
   opts.on("--organization ORGANIZATION", "Use user") { |organization| options[:organization] = organization }
   opts.on("-h", "--help", "Show this.") { puts opts; exit }
   opts.on("-v", "--version", "Show Version"){ puts Bundler::OrganizationAudit::VERSION; exit}

data/bundler-organization_audit.gemspec

@@ -9,8 +9,13 @@ Gem::Specification.new name, Bundler::OrganizationAudit::VERSION do |s|
   s.homepage = "http://github.com/grosser/#{name}"
   s.files = `git ls-files`.split("\n")
   s.license = "MIT"
-  s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem")
+  key = File.expand_path("~/.ssh/gem-private_key.pem")
+  if File.exist?(key)
+    s.signing_key = key
+    s.cert_chain = ["gem-public_cert.pem"]
+  else
+    puts "No signature"
+  end
   s.executables = ["bundle-organization-audit"]
-  s.cert_chain = ["gem-public_cert.pem"]
   s.add_runtime_dependency "json"
 end

data/lib/bundler/organization_audit.rb

@@ -6,8 +6,7 @@ module Bundler
   module OrganizationAudit
     class << self
       def run(options)
-        vulnerable = find_vulnerable(options).map(&:url)
-        vulnerable -= (options[:ignore] || [])
+        vulnerable = find_vulnerable(options)
         if vulnerable.size == 0
           0
         else
@@ -19,13 +18,14 @@ module Bundler
 
       private
 
-      def download_file(repo, file, options)
-        return unless content = repo.content(file, options)
+      def download_file(repo, file)
+        return unless content = repo.content(file)
         File.open(file, "w") { |f| f.write content }
       end
 
       def find_vulnerable(options)
         Repo.all(options).select do |repo|
+          next if (options[:ignore] || []).include? repo.url
           audit_repo(repo, options)
         end
       end
@@ -34,11 +34,15 @@ module Bundler
         success = false
         $stderr.puts repo.project
         in_temp_dir do
-          if download_file(repo, "Gemfile.lock", options)
-            if options[:ignore_gems] && repo.gem?(options)
+          if download_file(repo, "Gemfile.lock")
+            if options[:ignore_gems] && repo.gem?
               $stderr.puts "Ignored because it's a gem"
             else
-              success = !sh("bundle-audit")
+              command = "bundle-audit"
+              if options[:ignore_cves] && options[:ignore_cves].any?
+                command << " --ignore #{options[:ignore_cves].map { |cve| "'CVE-#{cve}'"  }.join(" ")}"
+              end
+              success = !sh(command)
             end
           else
             $stderr.puts "No Gemfile.lock found"

data/lib/bundler/organization_audit/repo.rb

@@ -7,18 +7,22 @@ module Bundler
     class Repo
       HOST = "https://api.github.com"
 
-      def initialize(data)
+      def initialize(data, token=nil)
         @data = data
+        @token = token
       end
 
-      def gem?(options={})
-        !!content("#{project}.gemspec", options)
+      def gem?
+        !!content("#{project}.gemspec")
       end
 
       def url
         api_url.sub("api.", "").sub("/repos", "")
       end
-      alias_method :to_s, :url
+
+      def to_s
+        "#{url} -- #{last_commiter}"
+      end
 
       def project
         api_url.split("/").last
@@ -34,12 +38,13 @@ module Bundler
         end
         url = File.join(HOST, user, "repos")
 
-        download_all_pages(url, headers(options[:token])).map { |data| Repo.new(data) }
+        token = options[:token]
+        download_all_pages(url, headers(token)).map { |data| Repo.new(data, token) }
       end
 
-      def content(file, options={})
+      def content(file)
         if private?
-          download_content_via_api(file, options)
+          download_content_via_api(file)
         else
           download_content_via_raw(file)
         end
@@ -51,13 +56,22 @@ module Bundler
         @data["private"]
       end
 
+      def last_commiter
+        response = call_api("commits/#{branch}")
+        committer = response["commit"]["committer"]
+        "#{committer["name"]} <#{committer["email"]}>"
+      end
+
       private
 
       def self.download_all_pages(url, headers)
         results = []
         page = 1
         loop do
-          result = JSON.parse(open("#{url}?page=#{page}", headers).read)
+          response = decorate_errors do
+            open("#{url}?page=#{page}", headers).read
+          end
+          result = JSON.parse(response)
           if result.size == 0
             break
           else
@@ -81,13 +95,25 @@ module Bundler
       end
 
       # increases api rate limit
-      def download_content_via_api(file, options)
-        url = File.join(api_url, "contents", file, "?ref=#{branch}")
-        content = open(url, self.class.headers(options.fetch(:token))).read
-        content = JSON.load(content)["content"]
+      def download_content_via_api(file)
+        content = call_api("contents/#{file}?branch=#{branch}")["content"]
         Base64.decode64(content)
       end
 
+      def call_api(path)
+        content = self.class.decorate_errors do
+          open(File.join(api_url, path), self.class.headers(@token)).read
+        end
+        JSON.load(content)
+      end
+
+      def self.decorate_errors
+        yield
+      rescue OpenURI::HTTPError => e
+        e.message << " -- body: " << e.io.read
+        raise e
+      end
+
       # unlimited
       def download_content_via_raw(file)
         open(File.join(raw_url, branch, file)).read

data/lib/bundler/organization_audit/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module OrganizationAudit
-    VERSION = "0.1.0"
+    VERSION = "0.1.2"
   end
 end

data/spec/bundler/organization_audit/repo_spec.rb

@@ -28,6 +28,12 @@ describe Bundler::OrganizationAudit::Repo do
     end
   end
 
+  describe "#last_commiter" do
+    it "returns nice info" do
+      repo.last_commiter.should == "grosser <grosser.michael@gmail.com>"
+    end
+  end
+
   describe "#content" do
     it "can download a public file" do
       repo.content("Gemfile.lock").should include('rspec (2')
@@ -37,9 +43,9 @@ describe Bundler::OrganizationAudit::Repo do
       it "can download a private file" do
         url = "https://api.github.com/repos/#{config["organization"]}/#{config["expected_organization"]}"
         repo = Bundler::OrganizationAudit::Repo.new(
-          "url" => url, "private" => true
+          {"url" => url, "private" => true}, config["token"]
         )
-        content = repo.content("Gemfile.lock", :token => config["token"], :user => config["user"])
+        content = repo.content("Gemfile.lock")
         content.should include('i18n (0.')
       end
     end

data/spec/bundler/organization_audit_spec.rb

@@ -64,7 +64,7 @@ describe Bundler::OrganizationAudit do
 
     it "only shows failed projects on stdout" do
       result = audit("--user user-with-unpatched-apps 2>/dev/null", :fail => true, :keep_output => true)
-      result.should == "https://github.com/user-with-unpatched-apps/unpatched\n"
+      result.should == "https://github.com/user-with-unpatched-apps/unpatched -- grosser <grosser.michael@gmail.com>\n"
     end
 
     it "ignores projects in --ignore" do
@@ -72,6 +72,11 @@ describe Bundler::OrganizationAudit do
       result.should == ""
     end
 
+    it "ignores CVEs via --ignore-cve" do
+      result = audit("--user user-with-unpatched-apps --ignore-cve 2013-0269 2>/dev/null", :keep_output => true)
+      result.should == ""
+    end
+
     it "shows --version" do
       audit("--version").should include(Bundler::OrganizationAudit::VERSION)
     end

data/spec/spec_helper.rb

@@ -1 +1,2 @@
 require "bundler/organization_audit"
+require "yaml"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler-organization_audit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
   prerelease: 
 platform: ruby
 authors:
@@ -36,7 +36,7 @@ cert_chain:
   VHNmKzZNYWVud0FNa0FnSGRzd0dzSnp0T25ObkJhM0YKeTBrQ1NXbUs2RCt4
   L1NiZlM2cjdLZTA3TVJxemlKZEI5R3VFMSswY0lSdUZoOEVRK0xONkhYQ0tN
   NXBvbi9HVQp5Y3dNWGZsMAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-date: 2013-02-18 00:00:00.000000000 Z
+date: 2013-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -92,7 +92,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 75415256473976345
+      hash: -3883081273091798118
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -101,10 +101,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 75415256473976345
+      hash: -3883081273091798118
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Audit all Gemfiles of a user/organization on github for unpatched versions