bundler-patch 0.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 11622ac1ecc12f9b1357768a9d8548fa5b9d54fd
+  data.tar.gz: 9f824a7f9b6fe2c3478700d24281ef5006ce2102
+SHA512:
+  metadata.gz: 272b7fef46e02020fb40ea6888501c704aaf0e93f428505d43f8b512829b0e383efef0a2e1f6aec6a08f972ee80fa826df6059cb137a3bfbe1a2524bc758e661
+  data.tar.gz: b71751b264518c672f6fde631f7becc3307874a9ae547437849015438d8842b74cb4548fb85f359ef3d4d1c524e1607749f88e6dd4f80f94b76f7b76f282c6d9

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/bin/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--backtrace

data/.ruby-version

@@ -0,0 +1 @@
+2.2.4

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.4
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+source 'https://gems.livingsocial.net'
+
+# Specify your gem's dependencies in bundler-patch.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 LivingSocial
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,135 @@
+# Bundler::Patch
+
+`bundler-patch` can update your Gemfile conservatively to deal with vulnerable gems or just get more current.
+
+## Goals
+
+- Update the Gemfile, .ruby-version and other files to patch an app according to `ruby-advisory-db` content.
+- Don't upgrade past the minimum gem version required.
+- Minimal munging to existing version spec.
+- Support a database of custom advisories for internal gems.
+
+## Installation
+
+    $ gem install bundler-patch
+
+## Usage
+
+### Scan / Patch Security Vulnerable Gems
+
+To output the list of detected vulnerabilities in the current project:
+
+    $ bundle-patch scan
+
+To specify the path to an optional advisory database:
+
+    $ bundle-patch scan -a ~/.my-custom-db
+
+_*NOTE*: `gems` will be appended to the end of the provided advisory database path._
+
+To attempt to patch the detected vulnerabilities, use the `patch` command instead of `scan`:
+
+    $ bundle-patch patch
+
+Same options apply. Read the next section for details on how bumps to release, minor and major versions work.
+
+For help:
+
+    $ bundle-patch help scan
+    $ bundle-patch help patch
+
+### Conservatively Update All Gems
+
+To update any gem conservatively, use the `update` command:
+
+    $ bundle-patch update 'foo bar'
+
+This will attempt to upgrade the `foo` and `bar` gems to the latest release version. (e.g. if the current version is
+`1.4.3` and the latest available `1.4.x` version is `1.4.8`, it will attempt to upgrade it to `1.4.8`). If any
+dependent gems need to be upgraded to a new minor or even major version, then it will do those as well, presuming the
+gem requirements specified in the `Gemfile` also allow it.
+
+If you want to restrict _any_ gem from being upgraded past the most recent release version, use `--strict` mode:
+
+    $ bundle-patch update 'foo bar' --strict
+
+This will eliminate any newer minor or major releases for any gem. If Bundler is unable to upgrade the requested gems
+due to the limitations, it will leave the requested gems at their current version.
+
+If you want to allow minor release upgrades (e.g. to allow an upgrade from `1.4.3` to `1.6.1`) use the `--minor_allowed`
+option.
+
+`--minor_allowed` (alias `-m`) and `--strict` (alias `-s`) can be used together or independently.
+
+While `--minor_allowed` is most useful in combination with the `--strict` option, it can also influence behavior when
+not in strict mode.
+
+For example, if an update to `foo` is requested, current version is `1.4.3` and `foo` has both `1.4.8` and `1.6.1`
+available, then without `--minor_allowed` and without `--strict`, `foo` itself will only be upgraded to `1.4.8`, though
+any gems further down the dependency tree could be upgraded to a new minor or major version if they have to be to use
+`foo 1.4.8`.
+
+Continuing the example, _with_ `--minor_allowed` (but still without `--strict`) `foo` itself would be upgraded to
+`1.6.1`, and as before any gems further down the dependency tree could be upgraded to a new minor or major version if
+they have to.
+
+To request conservative updates for the entire Gemfile, simply call `update`:
+
+    $ bundle-patch update
+
+There's no option to allow major version upgrades as this is the default behavior of `bundle update` in Bundler itself.
+
+
+### Troubleshooting
+
+First tip: make sure the current `bundle` command runs to completion on its own without any problems.
+
+The most frequent problems with this tool involve expectations around what gems should or shouldn't be upgraded. This
+can quickly get complicated as even a small dependency tree can involve many moving parts, and Bundler works hard to
+find a combination that satisfies all of the dependencies and requirements.
+
+You can get a (very verbose) look into how Bundler's resolution algorithm is working by setting the `DEBUG_RESOLVER`
+environment variable. While it can be tricky to dig through, it should explain how it came to the conclusions it came
+to.
+
+Adding to the usual Bundler complexity, `bundler-patch` is injecting its own logic to the resolution process to achieve
+its goals. If there's a bug involved, it's almost certainly in the `bundler-patch` code as Bundler has been around a
+long time and has thorough testing and real world experience.
+
+In particular, grep for 'Unwinding for conflict' to isolate some key issues that may be preventing the outcome you
+expect.
+
+`bundler-patch` can dump its own debug output, potentially helpful, with `DEBUG_PATCH_RESOLVER`.
+
+To get additional Bundler debugging output, enable the `DEBUG` env variable. This will include all of the details of
+the downloading the full dependency data from remote sources.
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can
+also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the
+version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/livingsocial/bundler-patch.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+
+## Misc
+
+None of these do what we need, but may have some code doing some similar work in places.
+
+- http://www.rubydoc.info/gems/bundler-auto-update/0.1.0 (runs tests after each gem upgrade)
+- http://www.rubydoc.info/gems/bundler-updater/0.0.3 (interactive prompt for what's available to upgrade to)
+- https://github.com/rosylilly/bundler-add (outputs Gemfile line for adding a gem)
+
+

data/Rakefile

@@ -0,0 +1,7 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
+
+require 'bundler/gem_tasks'

data/bin/bundle-patch

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'bundler/patch'
+
+Bundler::Patch::Scanner.start

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "bundler/patch"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+require "pry"
+Pry.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bundler-patch.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'bundler/patch/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'bundler-patch'
+  spec.version       = Bundler::Patch::VERSION
+  spec.authors       = ['chrismo']
+  spec.email         = ['chrismo@clabs.org']
+
+  spec.summary       = %q{Conservative bundler updates}
+  # spec.description   = ''
+  spec.homepage      = 'https://github.com/livingsocial/bundler-patch'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'bin'
+  spec.executables   = ['bundle-patch']
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'bundler-advise', '~> 1.0', '>= 1.0.3'
+  spec.add_dependency 'boson'
+  spec.add_dependency 'bundler', '~> 1.10'
+
+  spec.add_development_dependency 'bundler-fixture', '~> 1.1'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec'
+end

data/lib/bundler/patch/advisory_consolidator.rb

@@ -0,0 +1,73 @@
+module Bundler::Patch
+  class AdvisoryConsolidator
+    def initialize(options={}, all_ads=nil)
+      @options = options
+      @all_ads = all_ads || [].tap do |a|
+        a << Bundler::Advise::Advisories.new unless options[:skip_bundler_advise]
+        a << Bundler::Advise::Advisories.new(dir: options[:advisory_db_path], repo: nil) if options[:advisory_db_path]
+      end
+    end
+
+    def vulnerable_gems
+      @all_ads.map do |ads|
+        ads.update if ads.repo
+        Bundler::Advise::GemAdviser.new(advisories: ads).scan_lockfile
+      end.flatten.map do |advisory|
+        patched = advisory.patched_versions.map do |pv|
+          # this is a little stupid for compound requirements, but works itself out in consolidate_gemfiles
+          pv.requirements.map { |_, v| v.to_s }
+        end.flatten
+        Gemfile.new(gem_name: advisory.gem, patched_versions: patched)
+      end.group_by do |gemfile|
+        gemfile.gem_name
+      end.map do |_, gemfiles|
+        consolidate_gemfiles(gemfiles)
+      end.flatten
+    end
+
+    def patch_gemfile_and_get_gem_specs_to_patch
+      gem_update_specs = vulnerable_gems
+      locked = Bundler::LockfileParser.new(Bundler.read_file(Bundler.default_lockfile)).specs
+
+      gem_update_specs.map(&:update) # modify requirements in Gemfile if necessary
+
+      gem_update_specs.map do |up_spec|
+        old_version = locked.detect { |s| s.name == up_spec.gem_name }.version.to_s
+        new_version = up_spec.calc_new_version(old_version)
+        if new_version
+          GemPatch.new(gem_name: up_spec.gem_name, old_version: old_version,
+                       new_version: new_version, patched_versions: up_spec.patched_versions)
+        else
+          GemPatch.new(gem_name: up_spec.gem_name, old_version: old_version, patched_versions: up_spec.patched_versions)
+        end
+      end.partition { |gp| !gp.new_version.nil? }
+    end
+
+    private
+
+    def consolidate_gemfiles(gemfiles)
+      gemfiles if gemfiles.length == 1
+      all_gem_names = gemfiles.map(&:gem_name).uniq
+      raise 'Must be all same gem name' unless all_gem_names.length == 1
+      highest_minor_patched = gemfiles.map do |g|
+        g.patched_versions
+      end.flatten.group_by do |v|
+        Gem::Version.new(v).segments[0..1].join('.')
+      end.map do |_, all|
+        all.sort.last
+      end
+      Gemfile.new(gem_name: all_gem_names.first, patched_versions: highest_minor_patched)
+    end
+  end
+
+  class GemPatch
+    attr_reader :gem_name, :old_version, :new_version, :patched_versions
+
+    def initialize(gem_name:, old_version: nil, new_version: nil, patched_versions: nil)
+      @gem_name = gem_name
+      @old_version = old_version
+      @new_version = new_version
+      @patched_versions = patched_versions
+    end
+  end
+end

data/lib/bundler/patch/conservative_definition.rb

@@ -0,0 +1,122 @@
+module Bundler::Patch
+  module ConservativeDefinition
+    attr_accessor :gems_to_update
+
+    # pass-through options to ConservativeResolver
+    attr_accessor :strict, :minor_allowed
+
+    # This copies more code than I'd like out of Bundler::Definition, but for now seems the least invasive way in.
+    # Backing up and intervening into the creation of a Definition instance itself involves a lot more code, a lot
+    # more preliminary data has to be gathered first.
+    def resolve
+      @resolve ||= begin
+        last_resolve = converge_locked_specs
+        if Bundler.settings[:frozen] || (!@unlocking && nothing_changed?)
+          last_resolve
+        else
+          # Run a resolve against the locally available gems
+          base = last_resolve.is_a?(Bundler::SpecSet) ? Bundler::SpecSet.new(last_resolve) : []
+          resolver = ConservativeResolver.new(index, source_requirements, base)
+          locked_specs = if @unlocking && @locked_specs.length == 0
+                           # Have to grab these again. Default behavior is to not store any
+                           # locked_specs if updating all gems, because behavior is the same
+                           # with no lockfile OR lockfile but update them all. In our case,
+                           # we need to know the locked versions for conservative comparison.
+                           locked = Bundler::LockfileParser.new(@lockfile_contents)
+                           Bundler::SpecSet.new(locked.specs)
+                         else
+                           @locked_specs
+                         end
+
+          resolver.gems_to_update = @gems_to_update
+          resolver.locked_specs = locked_specs
+          resolver.strict = @strict
+          resolver.minor_allowed = @minor_allowed
+          result = resolver.start(expanded_dependencies)
+          spec_set = Bundler::SpecSet.new(result)
+
+          last_resolve.merge spec_set
+        end
+      end
+    end
+  end
+
+  class DefinitionPrep
+    attr_reader :bundler_def
+
+    def initialize(bundler_def, gem_patches, options)
+      @bundler_def = bundler_def
+      @gems_to_update = GemsToUpdate.new(gem_patches, options)
+      @options = options
+    end
+
+    def prep
+      @bundler_def ||= Bundler.definition(@gems_to_update.to_bundler_definition)
+      @bundler_def.extend ConservativeDefinition
+      @bundler_def.gems_to_update = @gems_to_update
+      @bundler_def.strict = @options[:strict]
+      @bundler_def.minor_allowed = @options[:minor_allowed]
+      fixup_empty_remotes if @gems_to_update.to_bundler_definition === true
+      @bundler_def
+    end
+
+    # This may only matter in cases like sidekiq where the sidekiq-pro gem is served
+    # from their gem server and depends on the open-source sidekiq gem served from
+    # rubygems.org, and when patching those, without the appropriate remotes being
+    # set in rubygems_aggregrate, it won't work.
+    #
+    # I've seen some other weird cases where a remote source index had no entry for a
+    # gem and would trip up bundler-audit. I couldn't pin them down at the time though.
+    # But I want to keep this in case.
+    #
+    # The underlying issue in Bundler 1.10 appears to be when the Definition
+    # constructor receives `true` as the `unlock` parameter, then @locked_sources
+    # is initialized to empty array, and the related rubygems_aggregrate
+    # source instance ends up with no @remotes set in it, which I think happens during
+    # converge_sources. Without those set, then the index will list no gem versions in
+    # some cases. (It was complicated enough to discover this patch, I haven't fully
+    # worked out the flaw, which still could be on my side of the fence).
+    def fixup_empty_remotes
+      b_sources = @bundler_def.send(:sources)
+      empty_remotes = b_sources.rubygems_sources.detect { |s| s.remotes.empty? }
+      empty_remotes.remotes.push(*b_sources.rubygems_remotes) if empty_remotes
+    end
+  end
+
+  class GemsToUpdate
+    attr_reader :gem_patches, :patching
+
+    def initialize(gem_patches, options={})
+      @gem_patches = Array(gem_patches)
+      @patching = options[:patching]
+    end
+
+    def to_bundler_definition
+      unlocking_all? ? true : {gems: to_gem_names}
+    end
+
+    def to_gem_names
+      @gem_patches.map(&:gem_name)
+    end
+
+    def patching_gem?(gem_name)
+      @patching && to_gem_names.include?(gem_name)
+    end
+
+    def patching_but_not_this_gem?(gem_name)
+      @patching && !to_gem_names.include?(gem_name)
+    end
+
+    def gem_patch_for(gem_name)
+      @gem_patches.detect { |gp| gp.gem_name == gem_name }
+    end
+
+    def unlocking_all?
+      @patching || @gem_patches.empty?
+    end
+
+    def unlocking_gem?(gem_name)
+      unlocking_all? || to_gem_names.include?(gem_name)
+    end
+  end
+end

data/lib/bundler/patch/conservative_resolver.rb

@@ -0,0 +1,109 @@
+module Bundler::Patch
+  class ConservativeResolver < Bundler::Resolver
+    attr_accessor :locked_specs, :gems_to_update, :strict, :minor_allowed
+
+    def search_for(dependency)
+      res = super(dependency)
+
+      dep = dependency.dep unless dependency.is_a? Gem::Dependency
+      @conservative_search_for ||= {}
+      #@conservative_search_for[dep] ||= # TODO turning off caching allowed a real-world sample to work, dunno why yet.
+      begin
+        gem_name = dep.name
+
+        # An Array per version returned, different entries for different platforms.
+        # We just need the version here so it's ok to hard code this to the first instance.
+        locked_spec = @locked_specs[gem_name].first
+
+        (@strict ?
+          filter_specs(res, locked_spec) :
+          sort_specs(res, locked_spec)).tap do |res|
+          if ENV['DEBUG_PATCH_RESOLVER']
+            # TODO: if we keep this, gotta go through Bundler.ui
+            begin
+              if res
+                p debug_format_result(dep, res)
+              else
+                p "No res for #{dep.to_s}. Orig res: #{super(dependency)}"
+              end
+            rescue => e
+              p [e.message, e.backtrace[0..5]]
+            end
+          end
+        end
+      end
+    end
+
+    def debug_format_result(dep, res)
+      a = [dep.to_s,
+           res.map { |sg| [sg.version, sg.dependencies_for_activated_platforms.map { |dp| [dp.name, dp.requirement.to_s] }] }]
+      [a.first, a.last.map { |sg_data| [sg_data.first.version, sg_data.last.map { |aa| aa.join(' ') }] }]
+    end
+
+    def filter_specs(specs, locked_spec)
+      res = specs.select do |sg|
+        # SpecGroup is grouped by name/version, multiple entries for multiple platforms.
+        # We only need the name, which will be the same, so hard coding to first is ok.
+        gem_spec = sg.first
+
+        if locked_spec
+          gsv = gem_spec.version
+          lsv = locked_spec.version
+
+          must_match = @minor_allowed ? [0] : [0, 1]
+
+          matches = must_match.map { |idx| gsv.segments[idx] == lsv.segments[idx] }
+          (matches.uniq == [true]) ? gsv.send(:>=, lsv) : false
+        else
+          true
+        end
+      end
+
+      sort_specs(res, locked_spec)
+    end
+
+    def sort_specs(specs, locked_spec)
+      return specs unless locked_spec
+      gem_name = locked_spec.name
+      locked_version = locked_spec.version
+
+      filtered = specs.select { |s| s.first.version >= locked_version }
+
+      filtered.sort do |a, b|
+        a_ver = a.first.version
+        b_ver = b.first.version
+        case
+        when a_ver.segments[0] != b_ver.segments[0]
+          b_ver <=> a_ver
+        when !@minor_allowed && (a_ver.segments[1] != b_ver.segments[1])
+          b_ver <=> a_ver
+        when @gems_to_update.patching_but_not_this_gem?(gem_name)
+          b_ver <=> a_ver
+        else
+          a_ver <=> b_ver
+        end
+      end.tap do |result|
+        if @gems_to_update.unlocking_gem?(gem_name)
+          if @gems_to_update.patching_gem?(gem_name)
+            # this logic will keep a gem from updating past the patched version
+            # if a more recent release (or minor, if enabled) version exists.
+            # TODO: not sure if we want this special logic to remain or not.
+            new_version = @gems_to_update.gem_patch_for(gem_name).new_version
+            swap_version_to_end(specs, new_version, result) if new_version
+          end
+        else
+          # make sure the current locked version is last in list.
+          swap_version_to_end(specs, locked_version, result)
+        end
+      end
+    end
+
+    def swap_version_to_end(specs, version, result)
+      spec_group = specs.detect { |s| s.first.version.to_s == version.to_s }
+      if spec_group
+        result.reject! { |s| s.first.version.to_s === version.to_s }
+        result << spec_group
+      end
+    end
+  end
+end

data/lib/bundler/patch/gemfile.rb

@@ -0,0 +1,104 @@
+module Bundler::Patch
+  class Gemfile < UpdateSpec
+    attr_reader :gem_name
+
+    def initialize(target_dir: Dir.pwd,
+                   gem_name:,
+                   patched_versions: [])
+      super(target_file: 'Gemfile',
+            target_dir: target_dir,
+            patched_versions: patched_versions)
+      @gem_name = gem_name
+    end
+
+    def to_s
+      "#{@gem_name} #{patched_versions}"
+    end
+
+    def update
+      # Bundler evals the whole Gemfile in Bundler::Dsl.evaluate
+      # It has a few magics to parse all possible calls to `gem`
+      # command. It doesn't have anything to output the entire
+      # Gemfile, I don't think it ever does that. (There is code
+      # to init a Gemfile from a gemspec, but it doesn't look
+      # like it's intended to recreate one just evaled - I don't
+      # see any code that would handle additional sources or
+      # groups - see lib/bundler/rubygems_ext.rb #to_gemfile).
+      #
+      # So without something in Bundler that round-trips from
+      # Gemfile back to disk and maintains integrity, then we
+      # couldn't re-use it to make modifications to the Gemfile
+      # like we'd want to, so we'll do this ourselves.
+      #
+      # We'll still instance_eval the gem line though, to properly
+      # handle the various options and possible multiple reqs.
+      @target_file = 'Gemfile'
+      @regexes = /^\s*gem.*['"]\s*#{@gem_name}\s*['"].*$/
+      file_replace do |match, re|
+        update_to_new_gem_version(match)
+      end
+    end
+
+    def update_to_new_gem_version(match)
+      dep = instance_eval(match)
+      req = dep.requirement
+
+      prefix = req.exact? ? '' : req.specific? ? '~> ' : '>= '
+
+      current_version = req.requirements.first.last.to_s
+      new_version = calc_new_version(current_version)
+
+      # return match if req.satisfied_by?(Gem::Version.new(new_version))
+      #
+      # TODO: This ^^ could be acceptable, slightly less complex, to not ever
+      # touch the requirement if it already covers the patched version.
+      # But I can't recall Bundler behavior in all these cases, to ensure
+      # at least the patch version is updated and/or we would like to be as
+      # conservative as possible in updating - can't recall how much influence
+      # we have over `bundle update` (not much)
+
+      return match if req.compound? && req.satisfied_by?(Gem::Version.new(new_version))
+
+      if new_version && prefix =~ /~/
+        # could Gem::Version#approximate_recommendation work here?
+
+        # match segments. if started with ~> 1.2 and new_version is 3 segments, replace with 2 segments.
+        count = current_version.split(/\./).length
+        new_version = new_version.split(/\./)[0..(count-1)].join('.')
+      end
+
+      if new_version
+        match.sub(requirements_args_regexp, " '#{prefix}#{new_version}'").tap { |s| "Updating to #{s}" }
+      else
+        match
+      end
+    end
+
+    private
+
+    def requirements_args_regexp
+      ops = Gem::Requirement::OPS.keys.join "|"
+      re = /(\s*['\"]\s*(#{ops})?\s*#{Gem::Version::VERSION_PATTERN}\s*['"],*)+/
+    end
+
+    # See Bundler::Dsl for reference
+    def gem(name, *args)
+      # we're not concerned with options here.
+      _options = args.last.is_a?(Hash) ? args.pop.dup : {}
+      version = args || ['>= 0']
+
+      # there is a normalize_options step that DOES involve
+      # the args captured in version for `git` and `path`
+      # sources that's skipped here ... need to dig into that
+      # at some point.
+
+      Gem::Dependency.new(name, version)
+    end
+  end
+end
+
+class Gem::Requirement
+  def compound?
+    @requirements.length > 1
+  end
+end

data/lib/bundler/patch/ruby_version.rb

@@ -0,0 +1,25 @@
+module Bundler::Patch
+  class RubyVersion < UpdateSpec
+    def self.files
+      {
+        '.ruby-version' => [/.*/],
+        '.jenkins.xml' => [/\<string\>(.*)\<\/string\>/, /rvm.*\>ruby-(.*)@/, /version.*rbenv.*\>(.*)\</]
+      }
+    end
+
+    def initialize(target_dir: Dir.pwd, patched_versions: [])
+      super(target_file: target_file,
+            target_dir: target_dir,
+            regexes: regexes,
+            patched_versions: patched_versions)
+    end
+
+    def update
+      self.class.files.each_pair do |file, regexes|
+        @target_file = file
+        @regexes = regexes
+        file_replace
+      end
+    end
+  end
+end

data/lib/bundler/patch/scanner.rb

@@ -0,0 +1,87 @@
+require 'bundler/advise'
+require 'boson/runner'
+
+module Bundler::Patch
+  class Scanner < Boson::Runner
+    def initialize
+      @no_vulns_message = 'No known vulnerabilities to update.'
+    end
+
+    option :advisory_db_path, type: :string, desc: 'Optional custom advisory db path.'
+    desc 'Scans current directory for known vulnerabilities and outputs them.'
+
+    def scan(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
+      header
+      gem_patches = AdvisoryConsolidator.new(options).vulnerable_gems
+
+      if gem_patches.empty?
+        puts @no_vulns_message
+      else
+        puts # extra line to separate from advisory db update text
+        puts 'Detected vulnerabilities:'
+        puts '-------------------------'
+        gem_patches.each do |gp|
+          puts "Need to update #{gp.gem_name}: #{gp.old_version} => #{gp.new_version}" # TODO: Bundler.ui
+        end
+      end
+    end
+
+    option :strict, type: :boolean, desc: 'Do not allow any gem to be upgraded past most recent release (or minor if -m used). Sometimes raises VersionConflict.'
+    option :minor_allowed, type: :boolean, desc: 'Upgrade to the latest minor.release version.'
+    option :advisory_db_path, type: :string, desc: 'Optional custom advisory db path.'
+    desc 'Scans current directory for known vulnerabilities and attempts to patch your files to fix them.'
+
+    def patch(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
+      header
+
+      gem_patches, warnings = AdvisoryConsolidator.new(options).patch_gemfile_and_get_gem_specs_to_patch
+
+      unless warnings.empty?
+        warnings.each do |gp|
+          # TODO: Bundler.ui
+          puts "* Could not attempt upgrade for #{gp.gem_name} from #{gp.old_version} to any patched versions " \
+            + "#{gp.patched_versions.join(', ')}. Most often this is because a major version increment would be " \
+            + "required and it's safer for a major version increase to be done manually."
+        end
+      end
+
+      if gem_patches.empty?
+        puts @no_vulns_message
+      else
+        gem_patches.each do |gp|
+          puts "Attempting #{gp.gem_name}: #{gp.old_version} => #{gp.new_version}" # TODO: Bundler.ui
+        end
+
+        puts "Updating '#{gem_patches.map(&:gem_name).join(' ')}' to address vulnerabilities"
+        conservative_update(gem_patches, options.merge(patching: true))
+      end
+    end
+
+    option :strict, type: :boolean, desc: 'Do not allow any gem to be upgraded past most recent release (or minor if -m used). Sometimes raises VersionConflict.'
+    option :minor_allowed, type: :boolean, desc: 'Upgrade to the latest minor.release version.'
+    # TODO: be nice to support array w/o quotes like real `bundle update`
+    option :gems_to_update, type: :array, split: ' ', desc: 'Optional list of gems to update, in quotes, space delimited'
+    desc 'Update spec gems to the latest release version. Required gems could be upgraded to latest minor or major if necessary.'
+    config default_option: 'gems_to_update'
+
+    def update(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
+      header
+      gem_patches = (options.delete(:gems_to_update) || []).map { |gem_name| GemPatch.new(gem_name: gem_name) }
+      conservative_update(gem_patches, options.merge(updating: true))
+    end
+
+    private
+
+    def header
+      puts "Bundler Patch Version #{Bundler::Patch::VERSION}"
+    end
+
+    def conservative_update(gem_patches, options={}, bundler_def=nil)
+      Bundler.ui = Bundler::UI::Shell.new
+
+      prep = DefinitionPrep.new(bundler_def, gem_patches, options).tap { |p| p.prep }
+
+      Bundler::Installer.install(Bundler.root, prep.bundler_def)
+    end
+  end
+end

data/lib/bundler/patch/updater.rb

@@ -0,0 +1,85 @@
+module Bundler::Patch
+  class UpdateSpec
+    attr_accessor :target_file, :target_dir, :regexes, :patched_versions
+
+    def initialize(target_file: '',
+                   target_dir: Dir.pwd,
+                   regexes: [/.*/],
+                   patched_versions: [])
+      @target_file = target_file
+      @target_dir = target_dir
+      @regexes = regexes
+      @patched_versions = patched_versions
+    end
+
+    def target_path_fn
+      File.join(@target_dir, @target_file)
+    end
+
+    def calc_new_version(old_version)
+      old = old_version
+      all = @patched_versions.dup
+      return old_version if all.include?(old)
+
+      all << old
+      all.sort!
+      all.delete_if { |v| v.split(/\./).first != old.split(/\./).first } # strip non-matching major revs
+      all[all.index(old) + 1]
+    end
+
+    def file_replace
+      filename = target_path_fn
+      unless File.exist?(filename)
+        puts "Cannot find #{filename}"
+        return
+      end
+
+      guts = File.read(filename)
+      any_changes = false
+      [@regexes].flatten.each do |re|
+        any_changes = guts.gsub!(re) do |match|
+          if block_given?
+            yield match, re
+          else
+            update_to_new_version(match, re)
+          end
+        end || any_changes
+      end
+
+      if any_changes
+        File.open(filename, 'w') { |f| f.print guts }
+        verbose_puts "Updated #{filename}"
+      else
+        verbose_puts "No changes for #{filename}"
+      end
+    end
+
+    def update_to_new_version(match, re)
+      current_version = match.scan(re).join
+      new_version = calc_new_version(current_version)
+      if new_version
+        match.sub(current_version, new_version).tap { |s| puts "Updating to #{s}" }
+      else
+        match
+      end
+    end
+
+    alias_method :update, :file_replace
+
+    def verbose_puts(text)
+      puts text if @verbose
+    end
+  end
+end
+
+# def prep_git_checkout(spec)
+#   Dir.chdir(spec.target_dir) do
+#     status_first_line = `git status`.split("\n").first
+#     raise "Not on master: #{status_first_line}" unless status_first_line == '# On branch master'
+#
+#     raise 'Uncommitted files' unless `git status --porcelain`.chomp.empty?
+#
+#     verbose_puts `git pull`
+#   end
+# end
+

data/lib/bundler/patch/version.rb

@@ -0,0 +1,5 @@
+module Bundler
+  module Patch
+    VERSION = '0.6.0'
+  end
+end

data/lib/bundler/patch.rb

@@ -0,0 +1,15 @@
+require 'bundler'
+
+module Bundler
+  module Patch
+  end
+end
+
+require 'bundler/patch/updater'
+require 'bundler/patch/gemfile'
+require 'bundler/patch/ruby_version'
+require 'bundler/patch/advisory_consolidator'
+require 'bundler/patch/conservative_definition'
+require 'bundler/patch/conservative_resolver'
+require 'bundler/patch/scanner'
+require 'bundler/patch/version'

metadata

@@ -0,0 +1,170 @@
+--- !ruby/object:Gem::Specification
+name: bundler-patch
+version: !ruby/object:Gem::Version
+  version: 0.6.0
+platform: ruby
+authors:
+- chrismo
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-04-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler-advise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+- !ruby/object:Gem::Dependency
+  name: boson
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: bundler-fixture
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- chrismo@clabs.org
+executables:
+- bundle-patch
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/bundle-patch
+- bin/console
+- bin/setup
+- bundler-patch.gemspec
+- lib/bundler/patch.rb
+- lib/bundler/patch/advisory_consolidator.rb
+- lib/bundler/patch/conservative_definition.rb
+- lib/bundler/patch/conservative_resolver.rb
+- lib/bundler/patch/gemfile.rb
+- lib/bundler/patch/ruby_version.rb
+- lib/bundler/patch/scanner.rb
+- lib/bundler/patch/updater.rb
+- lib/bundler/patch/version.rb
+homepage: https://github.com/livingsocial/bundler-patch
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Conservative bundler updates
+test_files: []