bundler-patch 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d81e3f4667e6cb684ba7caf5ff5ab7778712964e
-  data.tar.gz: f54482f58a5e12f47b740a9bc4dfe0992daa49ca
+  metadata.gz: e3c93c22ec89fe88cd7225e53b51f4367109dcc5
+  data.tar.gz: db75eca98eb9622a9299668d7c8d5e77868b73f5
 SHA512:
-  metadata.gz: 419579e3bbbe1653877d8fe227995bdac95208141804eea933171108851ae317df0d4c5f2a5defbe82aff46342ddb10954c3330f543e0f9e787a805aac37f127
-  data.tar.gz: 85f1d8f4b1d2b7cb316a62efb85f84fcf041552db77c97ee15c5adecb967514f9470c660c0c9bf2f76158639236ecb1d1ee36f731427abcf8920dff11b0d4dad
+  metadata.gz: 2cb458c1bfb71fd70fc1fc5145caa97c391aead8dddbc8fbc292de9ea310bdc47d3b15f5b63c0dc7325e6e53a502a2be0bfc5a5a7c6921aa653407d15e2920fa
+  data.tar.gz: 799ce18e825ddc8027b9ac06553874e094262f0f1d23951cf863b28fc402d4f5d1eb37f95c21fecf6d668f19730cd6810242eb533fd6e5241226f4d29d486589

data/.gitignore

@@ -8,3 +8,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+zz_debug_spec.rb

data/Gemfile

@@ -1,5 +1,4 @@
 source 'https://rubygems.org'
-source 'https://gems.livingsocial.net'
 
 # Specify your gem's dependencies in bundler-patch.gemspec
 gemspec

data/README.md

@@ -1,15 +1,12 @@
-# Bundler::Patch
+# bundler-patch
 
-`bundler-patch` can update your Gemfile conservatively to deal with vulnerable gems or just get more current.
+`bundler-patch` can update your gems conservatively to deal with vulnerable
+gems or just get more current.
 
-## Goals
-
-- Update the Gemfile, .ruby-version and other files to patch an app according to `ruby-advisory-db` content.
-- Provide conservative update of select or all gems. Conservative meaning to the latest release (default) or minor (optional) version.
-- Don't security patch past the minimum gem version required. (This may change).
-- Minimal munging to existing version spec.
-- Support a database of custom advisories for internal gems.
-- Provide reasonable support for keeping a large number of apps and services up-to-date as automatically as possible.
+By default, "conservatively" means it will prefer the latest releases from the
+current version, over the latest minor releases or the latest major releases.
+This is somewhat opposite from `bundle update` which prefers newest/major
+versions first.
 
 ## Installation
 
@@ -17,120 +14,206 @@
 
 ## Usage
 
-### Scan / Patch Security Vulnerable Gems
+With the `bundler-patch` binary available, both `bundler-patch` and `bundle
+patch` can be used to execute.
+
+Without any options, all gems will be conservatively updated. An attempt to
+upgrade any vulnerable gem (according to
+https://github.com/rubysec/ruby-advisory-db) to a patched version will be
+made.
+
+    $ bundle patch
+
+"Conservatively" means it will sort all available versions to prefer the
+latest releases from the current version, then the latest minor releases and
+then the latest major releases.
+
+Gem requirements as defined in the Gemfile will restrict the available version
+options.
+
+For example, if gem 'foo' is locked at 1.0.2, with no gem requirement defined
+in the Gemfile, and versions 1.0.3, 1.0.4, 1.1.0, 1.1.1, 2.0.0 all exist, the
+default order of preference will be "1.0.4, 1.0.3, 1.0.2, 1.1.1, 1.1.0,
+2.0.0".
+
+"Prefer" means that no available versions are removed from consideration*, to
+help ensure a suitable dependency graph can be reconciled. This does mean some
+gems cannot be upgraded or will be upgraded to unexpected versions.
 
-To output the list of detected vulnerabilities in the current project:
+_*That's a white-lie. bundler-patch will actually remove from consideration
+any versions older than the currently locked version, which `bundle update`
+will not do. It's not common, but it is possible for `bundle update` to
+regress a gem to an older version, if necessary to reconcile the dependency
+graph._
 
-    $ bundle-patch scan
+With no gem names provided on the command line, all gems will be unlocked and
+open for updating. A list of gem names can be passed to restrict to just those
+gems.
 
-To specify the path to an optional advisory database:
+    $ bundle patch foo bar
 
-    $ bundle-patch scan -a ~/.my-custom-db
+  * `-m/--minor_preferred` option will give preference for minor versions over
+    release versions.
 
-_*NOTE*: `gems` will be appended to the end of the provided advisory database path._
+  * `-p/--prefer_minimal` option will reverse the preference order within
+    release, minor, major groups to just 'the next' version. In the prior
+    example, the order of preference changes to "1.0.3, 1.0.4, 1.0.2, 1.1.0,
+    1.1.1, 2.0.0"
 
-To attempt to patch the detected vulnerabilities, use the `patch` command instead of `scan`:
+  * `-s/--strict_updates` option will actually remove from consideration
+    versions outside either the current release (or minor version if `-m`
+    specified). This increases the chances of Bundler being unable to
+    reconcile the dependency graph and could raise a `VersionConflict`.
 
-    $ bundle-patch patch
+`bundler-patch` will also check for vulnerabilities based on the
+`ruby-advisory-db`, but also will _modify_ (if necessary) the gem requirement
+in the Gemfile on vulnerable gems to ensure they can be upgraded.
 
-Same options apply. Read the next section for details on how bumps to release, minor and major versions work.
+  * `-l/--list` option will just list vulnerable gems. No updates will be
+    performed.
 
-For help:
+  * `-a/--advisory_db_path` option can provide the path to an additional
+    custom ruby-advisory-db styled directory. The path should not include the
+    final `gems` directory, that will be appended automatically. This can be
+    used for flagging necessary updates for custom/internal gems.
 
-    $ bundle-patch help scan
-    $ bundle-patch help patch
+The rules for updating vulnerable gems are almost identical to the general
+`bundler-patch` behavior described above, and abide by the same options (`-m`,
+`-p`, and `-s`) though there are some tweaks to encourage getting to at least
+a patched version of the gem. Keep in mind Bundler may choose unexpected
+versions in order to satisfy the dependency graph.
 
-### Conservatively Update All Gems
+   * `-v/--vulnerable_gems_only` option will automatically restrict the gems
+     to update list to currently vulnerable gems. If a combination of `-v` and
+     a list of gem names are passed, the `-v` option is ignored in favor of
+     the listed gem names.
 
-To update any gem conservatively, use the `update` command:
 
-    $ bundle-patch update 'foo bar'
+## Examples
 
-This will attempt to upgrade the `foo` and `bar` gems to the latest release version. (e.g. if the current version is
-`1.4.3` and the latest available `1.4.x` version is `1.4.8`, it will attempt to upgrade it to `1.4.8`). If any
-dependent gems need to be upgraded to a new minor or even major version, then it will do those as well, presuming the
-gem requirements specified in the `Gemfile` also allow it.
+### Single Gem
 
-If you want to restrict _any_ gem from being upgraded past the most recent release version, use `--strict` mode:
+| Requirements| Locked  | Available                   | Options  | Result |
+|-------------|---------|-----------------------------|----------|--------|
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1  |          | 1.4.5  |
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1  | -m       | 1.5.1  |
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1  | -p       | 1.4.4  |
+| foo         | 1.4.3   | 1.4.4, 1.4.5, 1.5.0, 1.5.1  | -m -p    | 1.5.0  |
 
-    $ bundle-patch update 'foo bar' --strict
+### Two Gems
 
-This will eliminate any newer minor or major releases for any gem. If Bundler is unable to upgrade the requested gems
-due to the limitations, it will leave the requested gems at their current version.
+Given the following gem specifications:
 
-If you want to allow minor release upgrades (e.g. to allow an upgrade from `1.4.3` to `1.6.1`) use the `--minor_allowed`
-option.
+- foo 1.4.3, requires: ~> bar 2.0
+- foo 1.4.4, requires: ~> bar 2.0
+- foo 1.4.5, requires: ~> bar 2.1
+- foo 1.5.0, requires: ~> bar 2.1
+- foo 1.5.1, requires: ~> bar 3.0
+- bar with versions 2.0.3, 2.0.4, 2.1.0, 2.1.1, 3.0.0
 
-`--minor_allowed` (alias `-m`) and `--strict` (alias `-s`) can be used together or independently.
+Gemfile: 
 
-While `--minor_allowed` is most useful in combination with the `--strict` option, it can also influence behavior when
-not in strict mode.
+    gem 'foo'
 
-For example, if an update to `foo` is requested, current version is `1.4.3` and `foo` has both `1.4.8` and `1.6.1`
-available, then without `--minor_allowed` and without `--strict`, `foo` itself will only be upgraded to `1.4.8`, though
-any gems further down the dependency tree could be upgraded to a new minor or major version if they have to be to use
-`foo 1.4.8`.
+Gemfile.lock: 
 
-Continuing the example, _with_ `--minor_allowed` (but still without `--strict`) `foo` itself would be upgraded to
-`1.6.1`, and as before any gems further down the dependency tree could be upgraded to a new minor or major version if
-they have to.
+    foo (1.4.3)
+      bar (~> 2.0)
+    bar (2.0.3)
 
-To request conservative updates for the entire Gemfile, simply call `update`:
+| # | Command Line | Result                    |
+|---|--------------|---------------------------|
+| 1 |              | 'foo 1.4.5', 'bar 2.1.1'  |
+| 2 | foo          | 'foo 1.4.4', 'bar 2.0.3'  |
+| 3 | -m           | 'foo 1.5.1', 'bar 3.0.0'  |
+| 4 | -m -s        | 'foo 1.5.0', 'bar 2.1.1'  |
+| 5 | -s           | 'foo 1.4.4', 'bar 2.0.4'  |
+| 6 | -p           | 'foo 1.4.4', 'bar 2.0.4'  |
+| 7 | -p -m        | 'foo 1.5.0', 'bar 2.1.0'  |
 
-    $ bundle-patch update
+In case 1, `bar` is upgraded to 2.1.0, a minor version increase, because the
+dependency from `foo` 1.4.5 required it.
 
-There's no option to allow major version upgrades as this is the default behavior of `bundle update` in Bundler itself.
+In case 2, only `foo` is unlocked, so `bar` can only go to 1.4.4 to satisfy
+the dependency from `foo`.
+
+In case 3, `bar` goes up a whole major release, because a minor increase is
+preferred now for `foo`.
+
+In case 4, `foo` is preferred up to a 1.5.x, but 1.5.1 won't work because the
+strict `-s` flag removes `bar` 3.0.0 from consideration since it's a major
+increment.
+
+In case 5, both `foo` and `bar` have any minor or major increments removed
+from consideration, so the most they can move is up to 1.4.4 and 2.0.4.
+
+In case 6, the prefer minimal switch `-p` means they only increment to the
+next available release.
+
+In case 7, the `-p` and `-m` switches allow both to move to just the next
+available minor version.
 
 
 ### Troubleshooting
 
-First tip: make sure the current `bundle` command runs to completion on its own without any problems.
+First, make sure the current `bundle` command itself runs to completion on its
+own without any problems.
 
-The most frequent problems with this tool involve expectations around what gems should or shouldn't be upgraded. This
-can quickly get complicated as even a small dependency tree can involve many moving parts, and Bundler works hard to
-find a combination that satisfies all of the dependencies and requirements.
+The most frequent problems with this tool involve expectations around what
+gems should or shouldn't be upgraded. This can quickly get complicated as even
+a small dependency tree can involve many moving parts, and Bundler works hard
+to find a combination that satisfies all of the dependencies and requirements.
 
-You can get a (very verbose) look into how Bundler's resolution algorithm is working by setting the `DEBUG_RESOLVER`
-environment variable. While it can be tricky to dig through, it should explain how it came to the conclusions it came
-to.
+You can get a (very verbose) look into how Bundler's resolution algorithm is
+working by setting the `DEBUG_RESOLVER` environment variable. While it can be
+tricky to dig through, it should explain how it came to the conclusions it
+came to.
 
-Adding to the usual Bundler complexity, `bundler-patch` is injecting its own logic to the resolution process to achieve
-its goals. If there's a bug involved, it's almost certainly in the `bundler-patch` code as Bundler has been around a
-long time and has thorough testing and real world experience.
+Adding to the usual Bundler complexity, `bundler-patch` is injecting its own
+logic to the resolution process to achieve its goals. If there's a bug
+involved, it's almost certainly in the `bundler-patch` code as Bundler has
+been around a long time and has thorough testing and real world experience.
 
-In particular, grep for 'Unwinding for conflict' to isolate some key issues that may be preventing the outcome you
-expect.
+In particular, grep for 'Unwinding for conflict' to isolate some key issues
+that may be preventing the outcome you expect.
 
-`bundler-patch` can dump its own debug output, potentially helpful, with `DEBUG_PATCH_RESOLVER`.
+`bundler-patch` can dump its own debug output, potentially helpful, with
+`DEBUG_PATCH_RESOLVER`.
 
-To get additional Bundler debugging output, enable the `DEBUG` env variable. This will include all of the details of
-the downloading the full dependency data from remote sources.
+To get additional Bundler debugging output, enable the `DEBUG` env variable.
+This will include all of the details of the downloading the full dependency
+data from remote sources.
 
 
 ## Development
 
 ### Status
 
-0.x versions are subject to breaking changes, there's a fair amount of experimenting going on and some future plans to
-not only revisit the command names but also investigate making this a proper Bundler plugin.
+0.x versions are subject to breaking changes, there's a fair amount of
+experimenting going on.
 
-We'd love to get real world scenarios where things don't go as planned to help flesh out varying details of what many
-believe a conservative update should be.
+We'd love to get real world scenarios where things don't go as planned to help
+flesh out varying details of what many believe a conservative update should
+be.
 
 ### How To
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can
-also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then,
+run `rake spec` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the
-version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version,
-push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`.
+To release a new version, update the version number in `version.rb`, and then
+run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/livingsocial/bundler-patch.
-
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/livingsocial/bundler-patch.
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [MIT
+License](http://opensource.org/licenses/MIT).

data/bin/{bundle-patch → bundler-patch}

@@ -7,4 +7,4 @@ $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
 
 require 'bundler/patch'
 
-Bundler::Patch::Scanner.start
+Bundler::Patch::CLI.execute

data/bundler-patch.gemspec

@@ -16,14 +16,14 @@ Gem::Specification.new do |spec|
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'bin'
-  spec.executables   = ['bundle-patch']
+  spec.executables   = ['bundler-patch']
   spec.require_paths = ['lib']
 
   spec.add_dependency 'bundler-advise', '~> 1.0', '>= 1.0.3'
-  spec.add_dependency 'boson'
-  spec.add_dependency 'bundler', '~> 1.10'
+  spec.add_dependency 'slop', '~> 4.0'
+  spec.add_dependency 'bundler', '~> 1.10.0' # TODO: does not work with 1.11.x yet
 
-  spec.add_development_dependency 'bundler-fixture', '~> 1.1'
+  spec.add_development_dependency 'bundler-fixture', '~> 1.3'
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec'

data/lib/bundler/patch/advisory_consolidator.rb

@@ -40,7 +40,7 @@ module Bundler::Patch
         else
           GemPatch.new(gem_name: up_spec.gem_name, old_version: old_version, patched_versions: up_spec.patched_versions)
         end
-      end.partition { |gp| !gp.new_version.nil? }
+      end
     end
 
     private
@@ -61,13 +61,27 @@ module Bundler::Patch
   end
 
   class GemPatch
+    include Comparable
+
     attr_reader :gem_name, :old_version, :new_version, :patched_versions
 
     def initialize(gem_name:, old_version: nil, new_version: nil, patched_versions: nil)
       @gem_name = gem_name
-      @old_version = old_version
-      @new_version = new_version
+      @old_version = Gem::Version.new(old_version) if old_version
+      @new_version = Gem::Version.new(new_version) if new_version
       @patched_versions = patched_versions
     end
+
+    def <=>(other)
+      self.gem_name <=> other.gem_name
+    end
+
+    def hash
+      @gem_name.hash
+    end
+
+    def eql?(other)
+      @gem_name.eql?(other.gem_name)
+    end
   end
 end

data/lib/bundler/patch/cli.rb

@@ -0,0 +1,112 @@
+require 'bundler/advise'
+require 'slop'
+
+module Bundler::Patch
+  class CLI
+    def self.execute
+      opts = Slop.parse do |o|
+        o.banner = "Bundler Patch Version #{Bundler::Patch::VERSION}\nUsage: bundle patch [options] [gems_to_update]"
+        o.separator ''
+        o.separator 'bundler-patch attempts to update gems conservatively.'
+        o.separator ''
+        o.bool '-m', '--minor_preferred', 'Prefer update to the latest minor.release version.' # TODO: change to --minor_preferred
+        o.bool '-p', '--prefer_minimal', 'Prefer minimal version updates over most recent release (or minor if -m used).'
+        o.bool '-s', '--strict_updates', 'Restrict any gem to be upgraded past most recent release (or minor if -m used).'
+        o.bool '-l', '--list', 'List vulnerable gems and new version target. No updates will be performed.'
+        o.bool '-v', '--vulnerable_gems_only', 'Only update vulnerable gems.'
+        o.string '-a', '--advisory_db_path', 'Optional custom advisory db path. `gems` dir will be appended to this path.'
+        o.on('-h', 'Show this help') { show_help(o) }
+        o.on('--help', 'Show README.md') { show_readme }
+      end
+
+      show_readme if opts.arguments.include?('help')
+      options = opts.to_hash
+      options[:gems_to_update] = opts.arguments
+
+      CLI.new.patch(options)
+    end
+
+    def self.show_help(opts)
+      puts opts.to_s(prefix: '  ')
+      exit
+    end
+
+    def self.show_readme
+      Kernel.exec "less '#{File.expand_path('../../../../README.md', __FILE__)}'"
+      exit
+    end
+
+    def initialize
+      @no_vulns_message = 'No known vulnerabilities to update.'
+    end
+
+    def patch(options={})
+      Bundler.ui = Bundler::UI::Shell.new
+
+      return list(options) if options[:list]
+
+      _patch(options)
+    end
+
+    private
+
+    def conservative_update(gem_patches, options={}, bundler_def=nil)
+      prep = DefinitionPrep.new(bundler_def, gem_patches, options).tap { |p| p.prep }
+
+      # update => true is very important, otherwise without any Gemfile changes, the installer
+      # may end up concluding everything can be resolved locally, nothing is changing,
+      # and then nothing is done. lib/bundler/cli/update.rb also hard-codes this.
+      Bundler::Installer.install(Bundler.root, prep.bundler_def, {'update' => true})
+    end
+
+    def list(options)
+      gem_patches = AdvisoryConsolidator.new(options).vulnerable_gems
+
+      if gem_patches.empty?
+        Bundler.ui.info @no_vulns_message
+      else
+        Bundler.ui.info '' # extra line to separate from advisory db update text
+        Bundler.ui.info 'Detected vulnerabilities:'
+        Bundler.ui.info '-------------------------'
+        Bundler.ui.info gem_patches.map(&:to_s).uniq.sort.join("\n")
+      end
+    end
+
+    def _patch(options)
+      vulnerable_patches = AdvisoryConsolidator.new(options).patch_gemfile_and_get_gem_specs_to_patch
+      requested_patches = (options.delete(:gems_to_update) || []).map { |gem_name| GemPatch.new(gem_name: gem_name) }
+
+      all_gem_patches = GemsToPatchReconciler.new(vulnerable_patches, requested_patches).reconciled_patches
+      all_gem_patches.push(*vulnerable_patches) if options[:vulnerable_gems_only] && all_gem_patches.empty?
+
+      vulnerable_patches, warnings = vulnerable_patches.partition { |gp| !gp.new_version.nil? }
+
+      unless warnings.empty?
+        warnings.each do |gp|
+          Bundler.ui.warn "* Could not attempt upgrade for #{gp.gem_name} from #{gp.old_version} to any patched versions " \
+            + "#{gp.patched_versions.join(', ')}. Most often this is because a major version increment would be " \
+            + "required and it's safer for a major version increase to be done manually."
+        end
+      end
+
+      if vulnerable_patches.empty?
+        Bundler.ui.info @no_vulns_message
+      else
+        vulnerable_patches.each do |gp|
+          Bundler.ui.info "Attempting conservative update for vulnerable gem '#{gp.gem_name}': #{gp.old_version} => #{gp.new_version}"
+        end
+      end
+
+      if all_gem_patches.empty?
+        Bundler.ui.info 'Updating all gems conservatively.'
+      else
+        Bundler.ui.info "Updating '#{all_gem_patches.map(&:gem_name).join(' ')}' conservatively."
+      end
+      conservative_update(all_gem_patches, options)
+    end
+  end
+end
+
+if __FILE__ == $0
+  Bundler::Patch::CLI.execute
+end

data/lib/bundler/patch/conservative_definition.rb

@@ -3,7 +3,7 @@ module Bundler::Patch
     attr_accessor :gems_to_update
 
     # pass-through options to ConservativeResolver
-    attr_accessor :strict, :minor_allowed
+    attr_accessor :strict, :minor_preferred, :prefer_minimal
 
     # This copies more code than I'd like out of Bundler::Definition, but for now seems the least invasive way in.
     # Backing up and intervening into the creation of a Definition instance itself involves a lot more code, a lot
@@ -31,7 +31,8 @@ module Bundler::Patch
           resolver.gems_to_update = @gems_to_update
           resolver.locked_specs = locked_specs
           resolver.strict = @strict
-          resolver.minor_allowed = @minor_allowed
+          resolver.minor_preferred = @minor_preferred
+          resolver.prefer_minimal = @prefer_minimal
           result = resolver.start(expanded_dependencies)
           spec_set = Bundler::SpecSet.new(result)
 
@@ -46,7 +47,7 @@ module Bundler::Patch
 
     def initialize(bundler_def, gem_patches, options)
       @bundler_def = bundler_def
-      @gems_to_update = GemsToUpdate.new(gem_patches, options)
+      @gems_to_update = GemsToPatch.new(gem_patches)
       @options = options
     end
 
@@ -54,41 +55,39 @@ module Bundler::Patch
       @bundler_def ||= Bundler.definition(@gems_to_update.to_bundler_definition)
       @bundler_def.extend ConservativeDefinition
       @bundler_def.gems_to_update = @gems_to_update
-      @bundler_def.strict = @options[:strict]
-      @bundler_def.minor_allowed = @options[:minor_allowed]
+      @bundler_def.strict = @options[:strict_updates]
+      @bundler_def.minor_preferred = @options[:minor_preferred]
+      @bundler_def.prefer_minimal = @options[:prefer_minimal]
       fixup_empty_remotes if @gems_to_update.to_bundler_definition === true
       @bundler_def
     end
 
-    # This may only matter in cases like sidekiq where the sidekiq-pro gem is served
-    # from their gem server and depends on the open-source sidekiq gem served from
-    # rubygems.org, and when patching those, without the appropriate remotes being
-    # set in rubygems_aggregrate, it won't work.
+    # This came out a real-life case with sidekiq and sidekiq-pro where the sidekiq-pro gem is served from their gem
+    # server and depends on the open-source sidekiq gem served from rubygems.org, and when patching those, without
+    # the appropriate remotes being set in rubygems_aggregrate, it won't work.
     #
-    # I've seen some other weird cases where a remote source index had no entry for a
-    # gem and would trip up bundler-audit. I couldn't pin them down at the time though.
-    # But I want to keep this in case.
-    #
-    # The underlying issue in Bundler 1.10 appears to be when the Definition
-    # constructor receives `true` as the `unlock` parameter, then @locked_sources
-    # is initialized to empty array, and the related rubygems_aggregrate
-    # source instance ends up with no @remotes set in it, which I think happens during
-    # converge_sources. Without those set, then the index will list no gem versions in
-    # some cases. (It was complicated enough to discover this patch, I haven't fully
-    # worked out the flaw, which still could be on my side of the fence).
+    # The underlying issue in Bundler 1.10 appears to be when the Definition constructor receives `true` as the
+    # `unlock` parameter, then @locked_sources is initialized to empty array, and the related rubygems_aggregrate
+    # source instance ends up with no @remotes set in it, which I think happens during converge_sources. Without
+    # those set, then the index will list no gem versions in some cases. (It was complicated enough to discover this
+    # patch, I haven't fully worked out the flaw, though I believe I recreated the problem with plain ol `bundle
+    # update`).
     def fixup_empty_remotes
+      STDERR.puts 'fixing empty remotes' if ENV['DEBUG_PATCH_RESOLVER']
       b_sources = @bundler_def.send(:sources)
       empty_remotes = b_sources.rubygems_sources.detect { |s| s.remotes.empty? }
+      STDERR.puts "empty_remotes: <#{empty_remotes}>" if ENV['DEBUG_PATCH_RESOLVER']
       empty_remotes.remotes.push(*b_sources.rubygems_remotes) if empty_remotes
+      empty_remotes = b_sources.rubygems_sources.detect { |s| s.remotes.empty? }
+      STDERR.puts "empty_remotes after fixed: <#{empty_remotes}>" if ENV['DEBUG_PATCH_RESOLVER']
     end
   end
 
-  class GemsToUpdate
-    attr_reader :gem_patches, :patching
+  class GemsToPatch
+    attr_reader :gem_patches
 
-    def initialize(gem_patches, options={})
+    def initialize(gem_patches)
       @gem_patches = Array(gem_patches)
-      @patching = options[:patching]
     end
 
     def to_bundler_definition
@@ -99,20 +98,12 @@ module Bundler::Patch
       @gem_patches.map(&:gem_name)
     end
 
-    def patching_gem?(gem_name)
-      @patching && to_gem_names.include?(gem_name)
-    end
-
-    def patching_but_not_this_gem?(gem_name)
-      @patching && !to_gem_names.include?(gem_name)
-    end
-
     def gem_patch_for(gem_name)
       @gem_patches.detect { |gp| gp.gem_name == gem_name }
     end
 
     def unlocking_all?
-      @patching || @gem_patches.empty?
+      @gem_patches.empty?
     end
 
     def unlocking_gem?(gem_name)

data/lib/bundler/patch/conservative_resolver.rb

@@ -1,14 +1,14 @@
 module Bundler::Patch
   class ConservativeResolver < Bundler::Resolver
-    attr_accessor :locked_specs, :gems_to_update, :strict, :minor_allowed
+    attr_accessor :locked_specs, :gems_to_update, :strict, :minor_preferred, :prefer_minimal
 
     def search_for(dependency)
       res = super(dependency)
 
       dep = dependency.dep unless dependency.is_a? Gem::Dependency
+
       @conservative_search_for ||= {}
-      #@conservative_search_for[dep] ||= # TODO turning off caching allowed a real-world sample to work, dunno why yet.
-      begin
+      res = @conservative_search_for[dep] ||= begin
         gem_name = dep.name
 
         # An Array per version returned, different entries for different platforms.
@@ -18,20 +18,14 @@ module Bundler::Patch
         (@strict ?
           filter_specs(res, locked_spec) :
           sort_specs(res, locked_spec)).tap do |res|
-          if ENV['DEBUG_PATCH_RESOLVER']
-            # TODO: if we keep this, gotta go through Bundler.ui
-            begin
-              if res
-                p debug_format_result(dep, res)
-              else
-                p "No res for #{dep.to_s}. Orig res: #{super(dependency)}"
-              end
-            rescue => e
-              p [e.message, e.backtrace[0..5]]
-            end
-          end
+          STDERR.puts debug_format_result(dep, res).inspect if ENV['DEBUG_PATCH_RESOLVER']
         end
       end
+
+      # dup is important, in weird (large) cases Bundler will empty the result array corrupting the cache.
+      # Bundler itself doesn't have this problem because the super search_for does a select on its cached
+      # search results, effectively duping it.
+      res.dup
     end
 
     def debug_format_result(dep, res)
@@ -50,7 +44,7 @@ module Bundler::Patch
           gsv = gem_spec.version
           lsv = locked_spec.version
 
-          must_match = @minor_allowed ? [0] : [0, 1]
+          must_match = @minor_preferred ? [0] : [0, 1]
 
           matches = must_match.map { |idx| gsv.segments[idx] == lsv.segments[idx] }
           (matches.uniq == [true]) ? gsv.send(:>=, lsv) : false
@@ -62,6 +56,7 @@ module Bundler::Patch
       sort_specs(res, locked_spec)
     end
 
+    # reminder: sort still filters anything older than locked version
     def sort_specs(specs, locked_spec)
       return specs unless locked_spec
       gem_name = locked_spec.name
@@ -72,33 +67,35 @@ module Bundler::Patch
       filtered.sort do |a, b|
         a_ver = a.first.version
         b_ver = b.first.version
+        gem_patch = @gems_to_update.gem_patch_for(gem_name)
+        new_version = gem_patch ? gem_patch.new_version : nil
         case
         when a_ver.segments[0] != b_ver.segments[0]
           b_ver <=> a_ver
-        when !@minor_allowed && (a_ver.segments[1] != b_ver.segments[1])
+        when !@minor_preferred && (a_ver.segments[1] != b_ver.segments[1])
+          b_ver <=> a_ver
+        when @prefer_minimal && !@gems_to_update.unlocking_gem?(gem_name)
           b_ver <=> a_ver
-        when @gems_to_update.patching_but_not_this_gem?(gem_name)
+        when @prefer_minimal && @gems_to_update.unlocking_gem?(gem_name) &&
+          (![a_ver, b_ver].include?(locked_version) &&
+            (!new_version || (new_version && a_ver >= new_version && b_ver >= new_version)))
           b_ver <=> a_ver
         else
           a_ver <=> b_ver
         end
       end.tap do |result|
         if @gems_to_update.unlocking_gem?(gem_name)
-          if @gems_to_update.patching_gem?(gem_name)
-            # this logic will keep a gem from updating past the patched version
-            # if a more recent release (or minor, if enabled) version exists.
-            # TODO: not sure if we want this special logic to remain or not.
-            new_version = @gems_to_update.gem_patch_for(gem_name).new_version
-            swap_version_to_end(specs, new_version, result) if new_version
+          gem_patch = @gems_to_update.gem_patch_for(gem_name)
+          if gem_patch && gem_patch.new_version && @prefer_minimal
+            move_version_to_end(specs, gem_patch.new_version, result)
           end
         else
-          # make sure the current locked version is last in list.
-          swap_version_to_end(specs, locked_version, result)
+          move_version_to_end(specs, locked_version, result)
         end
       end
     end
 
-    def swap_version_to_end(specs, version, result)
+    def move_version_to_end(specs, version, result)
       spec_group = specs.detect { |s| s.first.version.to_s == version.to_s }
       if spec_group
         result.reject! { |s| s.first.version.to_s === version.to_s }

data/lib/bundler/patch/gems_to_patch_reconciler.rb

@@ -0,0 +1,22 @@
+class GemsToPatchReconciler
+  attr_reader :reconciled_patches
+
+  def initialize(vulnerable_patches, requested_patches=[])
+    @vulnerable_patches = vulnerable_patches
+    @requested_patches = requested_patches
+    reconcile
+  end
+
+  private
+
+  def reconcile
+    @reconciled_patches = []
+    unless @requested_patches.empty?
+      @vulnerable_patches.reject! { |gp| !@requested_patches.include?(gp) }
+      @reconciled_patches.push(*((@vulnerable_patches + @requested_patches).uniq))
+    end
+  end
+end
+
+
+

data/lib/bundler/patch/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module Patch
-    VERSION = '0.6.1'
+    VERSION = '0.7.0'
   end
 end

data/lib/bundler/patch.rb

@@ -11,5 +11,6 @@ require 'bundler/patch/ruby_version'
 require 'bundler/patch/advisory_consolidator'
 require 'bundler/patch/conservative_definition'
 require 'bundler/patch/conservative_resolver'
-require 'bundler/patch/scanner'
+require 'bundler/patch/gems_to_patch_reconciler'
+require 'bundler/patch/cli'
 require 'bundler/patch/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-patch
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.7.0
 platform: ruby
 authors:
 - chrismo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-11 00:00:00.000000000 Z
+date: 2016-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-advise
@@ -31,47 +31,47 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.0.3
 - !ruby/object:Gem::Dependency
-  name: boson
+  name: slop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: 1.10.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: 1.10.0
 - !ruby/object:Gem::Dependency
   name: bundler-fixture
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -118,7 +118,7 @@ description:
 email:
 - chrismo@clabs.org
 executables:
-- bundle-patch
+- bundler-patch
 extensions: []
 extra_rdoc_files: []
 files:
@@ -130,17 +130,18 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- bin/bundle-patch
+- bin/bundler-patch
 - bin/console
 - bin/setup
 - bundler-patch.gemspec
 - lib/bundler/patch.rb
 - lib/bundler/patch/advisory_consolidator.rb
+- lib/bundler/patch/cli.rb
 - lib/bundler/patch/conservative_definition.rb
 - lib/bundler/patch/conservative_resolver.rb
 - lib/bundler/patch/gemfile.rb
+- lib/bundler/patch/gems_to_patch_reconciler.rb
 - lib/bundler/patch/ruby_version.rb
-- lib/bundler/patch/scanner.rb
 - lib/bundler/patch/updater.rb
 - lib/bundler/patch/version.rb
 homepage: https://github.com/livingsocial/bundler-patch

data/lib/bundler/patch/scanner.rb

@@ -1,85 +0,0 @@
-require 'bundler/advise'
-require 'boson/runner'
-
-module Bundler::Patch
-  class Scanner < Boson::Runner
-    def initialize
-      @no_vulns_message = 'No known vulnerabilities to update.'
-    end
-
-    option :advisory_db_path, type: :string, desc: 'Optional custom advisory db path.'
-    desc 'Scans current directory for known vulnerabilities and outputs them.'
-
-    def scan(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
-      header
-      gem_patches = AdvisoryConsolidator.new(options).vulnerable_gems
-
-      if gem_patches.empty?
-        puts @no_vulns_message
-      else
-        puts # extra line to separate from advisory db update text
-        puts 'Detected vulnerabilities:'
-        puts '-------------------------'
-        puts gem_patches.map(&:to_s).uniq.sort.join("\n")
-      end
-    end
-
-    option :strict, type: :boolean, desc: 'Do not allow any gem to be upgraded past most recent release (or minor if -m used). Sometimes raises VersionConflict.'
-    option :minor_allowed, type: :boolean, desc: 'Upgrade to the latest minor.release version.'
-    option :advisory_db_path, type: :string, desc: 'Optional custom advisory db path.'
-    desc 'Scans current directory for known vulnerabilities and attempts to patch your files to fix them.'
-
-    def patch(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
-      header
-
-      gem_patches, warnings = AdvisoryConsolidator.new(options).patch_gemfile_and_get_gem_specs_to_patch
-
-      unless warnings.empty?
-        warnings.each do |gp|
-          # TODO: Bundler.ui
-          puts "* Could not attempt upgrade for #{gp.gem_name} from #{gp.old_version} to any patched versions " \
-            + "#{gp.patched_versions.join(', ')}. Most often this is because a major version increment would be " \
-            + "required and it's safer for a major version increase to be done manually."
-        end
-      end
-
-      if gem_patches.empty?
-        puts @no_vulns_message
-      else
-        gem_patches.each do |gp|
-          puts "Attempting #{gp.gem_name}: #{gp.old_version} => #{gp.new_version}" # TODO: Bundler.ui
-        end
-
-        puts "Updating '#{gem_patches.map(&:gem_name).join(' ')}' to address vulnerabilities"
-        conservative_update(gem_patches, options.merge(patching: true))
-      end
-    end
-
-    option :strict, type: :boolean, desc: 'Do not allow any gem to be upgraded past most recent release (or minor if -m used). Sometimes raises VersionConflict.'
-    option :minor_allowed, type: :boolean, desc: 'Upgrade to the latest minor.release version.'
-    # TODO: be nice to support array w/o quotes like real `bundle update`
-    option :gems_to_update, type: :array, split: ' ', desc: 'Optional list of gems to update, in quotes, space delimited'
-    desc 'Update spec gems to the latest release version. Required gems could be upgraded to latest minor or major if necessary.'
-    config default_option: 'gems_to_update'
-
-    def update(options={}) # TODO: Revamp the commands now that we've broadened into security specific and generic
-      header
-      gem_patches = (options.delete(:gems_to_update) || []).map { |gem_name| GemPatch.new(gem_name: gem_name) }
-      conservative_update(gem_patches, options.merge(updating: true))
-    end
-
-    private
-
-    def header
-      puts "Bundler Patch Version #{Bundler::Patch::VERSION}"
-    end
-
-    def conservative_update(gem_patches, options={}, bundler_def=nil)
-      Bundler.ui = Bundler::UI::Shell.new
-
-      prep = DefinitionPrep.new(bundler_def, gem_patches, options).tap { |p| p.prep }
-
-      Bundler::Installer.install(Bundler.root, prep.bundler_def)
-    end
-  end
-end