bundler-trivy 0.1.2 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3079187f7de00f3634dd3f042607d9c4b2f505d96239eec97c5633478b4c3e80
-  data.tar.gz: 1ca3ac43876af2b7eff2b5a0bd10ae0f2af13ee1eaf754d90bfd7f93a4b6e131
+  metadata.gz: a7b59afe9e3d14eaedb5644c7c421ac940519940001ac27fc7bdbcba8c9e9f78
+  data.tar.gz: 95b5980cdd1bd8f25e166444e29d0907d05dff6d9dfaf37ac3a4969f6dd5ecd3
 SHA512:
-  metadata.gz: 3f8298ad2fe95f9b1b72c824b93f59bcea9ffc398f3e681c1591cfdde8475850a71632e599eabcb155dcd7cc3903c52afa31395da5889284c76ffa627f911902
-  data.tar.gz: c374956836874f08ed84bab869e2b625155cd0b413f77e9907c05b7631e69729b5162a82fdff3dc7c2daedb5f4d6c80aab53531e906da56652a790e7ae3f205c
+  metadata.gz: 036bf8d9aedd742df8adec69f21f4c27412d7b705ff056c783248a90aae823827216efebafc854eea4bac01cb3ee80e6e2d577686c5f74da80aacb6b2c75b875
+  data.tar.gz: 35c039953350c276732df80b6934f0d079dd33543b067832c8ebe4e16fd4f63fddf7100a715e56243f7a63f5a97badfd9f56c3f0befb3cf4692fa1b27bfbcfd9

data/README.md

@@ -12,7 +12,7 @@ A Bundler plugin that automatically integrates [Trivy](https://trivy.dev/) secur
 - **CVE Ignore List**: Temporary ignore vulnerabilities with expiration dates
 - **Multiple Output Formats**: Terminal (default), JSON, and compact modes
 - **Detailed Reporting**: Clear vulnerability summaries with fix recommendations
-- **Zero Dependencies**: Lightweight plugin with minimal runtime dependencies
+- **Zero Gem Dependencies**: Lightweight plugin with minimal runtime dependencies - none besides other than trivy.
 
 ## Quick Start
 
@@ -39,21 +39,21 @@ sudo apt-get install trivy
 
 **From source** (currently):
 ```bash
-gem build bundler-trivy-plugin.gemspec
-bundle plugin install bundler-trivy-plugin --source .
+gem build bunder-trivy.gemspec
+bundle plugin install bunder-trivy --source .
 ```
 
 **Coming soon - from RubyGems**:
 ```bash
-gem install bundler-trivy-plugin
-bundle plugin install bundler-trivy-plugin
+gem install bunder-trivy
+bundle plugin install bunder-trivy
 ```
 
 ### 3. Verify Installation
 
 ```bash
 bundle plugin list
-# Should show: bundler-trivy-plugin
+# Should show: bunder-trivy
 
 trivy --version
 # Should show: Version: 0.x.x or later
@@ -264,8 +264,8 @@ jobs:
 
       - name: Install Plugin
         run: |
-          gem build bundler-trivy-plugin.gemspec
-          bundle plugin install bundler-trivy-plugin --source .
+          gem build bunder-trivy.gemspec
+          bundle plugin install bunder-trivy --source .
 
       - name: Install Dependencies with Security Scan
         run: bundle install
@@ -282,8 +282,8 @@ security_scan:
     - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
     - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
     - apt-get update && apt-get install -y trivy
-    - gem build bundler-trivy-plugin.gemspec
-    - bundle plugin install bundler-trivy-plugin --source .
+    - gem build bunder-trivy.gemspec
+    - bundle plugin install bunder-trivy --source .
   script:
     - bundle install
   allow_failure: false
@@ -309,13 +309,13 @@ BUNDLER_TRIVY_FAIL_ON_HIGH=true bundle install
 **Check plugin is installed**:
 ```bash
 bundle plugin list
-# Should show bundler-trivy-plugin
+# Should show bunder-trivy
 ```
 
 **Reinstall if needed**:
 ```bash
-bundle plugin uninstall bundler-trivy-plugin
-bundle plugin install bundler-trivy-plugin --source .
+bundle plugin uninstall bunder-trivy
+bundle plugin install bunder-trivy --source .
 ```
 
 ### Trivy not found
@@ -378,8 +378,8 @@ chmod +x $(which trivy)
 ### Setup
 
 ```bash
-git clone https://github.com/durableprogramming/bundler-trivy-plugin.git
-cd bundler-trivy-plugin
+git clone https://github.com/durableprogramming/bunder-trivy.git
+cd bunder-trivy
 bundle install
 ```
 
@@ -410,12 +410,12 @@ bundle exec rubocop -a
 
 ```bash
 # Build gem
-gem build bundler-trivy-plugin.gemspec
+gem build bunder-trivy.gemspec
 
 # Install in test project
 cd /path/to/test/project
-bundle plugin uninstall bundler-trivy-plugin || true
-bundle plugin install bundler-trivy-plugin --source /path/to/plugin
+bundle plugin uninstall bunder-trivy || true
+bundle plugin install bunder-trivy --source /path/to/plugin
 
 # Test
 bundle install
@@ -465,8 +465,8 @@ MIT License - see [LICENSE](LICENSE) for details.
 
 ## Support
 
-- **Documentation**: [GitHub README](https://github.com/durableprogramming/bundler-trivy-plugin)
-- **Issues**: [GitHub Issues](https://github.com/durableprogramming/bundler-trivy-plugin/issues)
+- **Documentation**: [GitHub README](https://github.com/durableprogramming/bunder-trivy)
+- **Issues**: [GitHub Issues](https://github.com/durableprogramming/bunder-trivy/issues)
 - **Email**: commercial@durableprogramming.com
 
 ## Credits

data/lib/bundler/trivy/config.rb

@@ -74,7 +74,7 @@ module Bundler
       #   config.fail_on_critical? # => true
       def fail_on_critical?
         env_bool("BUNDLER_TRIVY_FAIL_ON_CRITICAL",
-                 file_value(%w[fail_on critical], ci_environment?))
+          file_value(%w[fail_on critical], ci_environment?))
       end
 
       # Determines if the plugin should exit with error on HIGH severity vulnerabilities.
@@ -86,7 +86,7 @@ module Bundler
       #   config.fail_on_high? # => true
       def fail_on_high?
         env_bool("BUNDLER_TRIVY_FAIL_ON_HIGH",
-                 file_value(%w[fail_on high], false))
+          file_value(%w[fail_on high], false))
       end
 
       # Determines if the plugin should exit with error on ANY vulnerabilities.
@@ -111,7 +111,7 @@ module Bundler
       # @return [Boolean] true if compact output is enabled
       def compact_output?
         env_bool("BUNDLER_TRIVY_COMPACT",
-                 file_value(%w[output compact], ci_environment?))
+          file_value(%w[output compact], ci_environment?))
       end
 
       # Determines if output should be in JSON format.
@@ -160,7 +160,7 @@ module Bundler
       #   config.trivy_timeout # => 300
       def trivy_timeout
         ENV.fetch("BUNDLER_TRIVY_TIMEOUT",
-                  file_value(%w[scanning timeout], 120)).to_i
+          file_value(%w[scanning timeout], 120)).to_i
       end
 
       # Returns the list of ignored CVEs from configuration.
@@ -238,7 +238,8 @@ module Bundler
         ignored_cves.each do |ignore|
           if ignore["expires"]
             begin
-              Date.parse(ignore["expires"])
+              # Handle both string and Date objects
+              ignore["expires"].is_a?(Date) ? ignore["expires"] : Date.parse(ignore["expires"].to_s)
             rescue ArgumentError
               errors << "Invalid expiration date for #{ignore["id"]}: #{ignore["expires"]}"
             end
@@ -284,8 +285,8 @@ module Bundler
         end
 
         config
-      rescue StandardError => e
-        Bundler.ui.warn "Failed to load config: #{e.message}"
+      rescue => e
+        Bundler.ui.warn "Failed to load config (#{config_path}): #{e.message}"
         {}
       end
 
@@ -306,14 +307,16 @@ module Bundler
 
       def deep_merge(hash1, hash2)
         hash1.merge(hash2) do |_, v1, v2|
-          v1.is_a?(Hash) && v2.is_a?(Hash) ? deep_merge(v1, v2) : v2
+          (v1.is_a?(Hash) && v2.is_a?(Hash)) ? deep_merge(v1, v2) : v2
         end
       end
 
       def expired?(ignore_entry)
         return false unless ignore_entry["expires"]
 
-        expiration_date = Date.parse(ignore_entry["expires"])
+        # Handle both string and Date objects
+        expires = ignore_entry["expires"]
+        expiration_date = expires.is_a?(Date) ? expires : Date.parse(expires.to_s)
         Date.today > expiration_date
       rescue ArgumentError
         # Handle invalid date format, treat as not expired to be safe

data/lib/bundler/trivy/plugin.rb

@@ -49,8 +49,12 @@ module Bundler
 
         # Check if Trivy binary is available in PATH
         unless scanner.trivy_available?
-          Bundler.ui.warn "Trivy not found, skipping scan"
-          Bundler.ui.info "Install: https://trivy.dev/docs/getting-started/installation/"
+          begin
+            Bundler.ui.warn "Trivy not found, skipping scan"
+            Bundler.ui.info "Install: https://trivy.dev/docs/getting-started/installation/"
+          rescue
+            # Ignore UI errors
+          end
           return
         end
 
@@ -64,7 +68,7 @@ module Bundler
 
           # Exit with error code if vulnerabilities exceed configured thresholds
           handle_exit_code(results, config)
-        rescue StandardError => e
+        rescue => e
           Bundler.ui.warn "Trivy scan failed: #{e.message}"
           Bundler.ui.debug e.backtrace.join("\n") if ENV["DEBUG"]
         end

data/lib/bundler/trivy/reporter.rb

@@ -124,8 +124,15 @@ module Bundler
         puts
 
         fixable.group_by(&:package_name).each do |pkg, vulns|
-          vulns.map(&:fixed_version).compact.max_by { |v| Gem::Version.new(v.split(",").first) }
-          puts "  Update #{pkg}: bundle update #{pkg}"
+          # Get all fixed versions from all vulnerabilities for this package
+          all_versions = vulns.flat_map(&:fixed_versions).compact.uniq
+          # Find the maximum version that fixes all vulns (safest upgrade path)
+          recommended_version = all_versions.max_by { |v| Gem::Version.new(v) } if all_versions.any?
+          if recommended_version
+            puts "  Update #{pkg} to #{recommended_version}: bundle update #{pkg}"
+          else
+            puts "  Update #{pkg}: bundle update #{pkg}"
+          end
         end
 
         puts
@@ -164,7 +171,7 @@ module Bundler
       end
 
       def severity_order(severity)
-        { "CRITICAL" => 0, "HIGH" => 1, "MEDIUM" => 2, "LOW" => 3, "UNKNOWN" => 4 }[severity] || 99
+        {"CRITICAL" => 0, "HIGH" => 1, "MEDIUM" => 2, "LOW" => 3, "UNKNOWN" => 4}[severity] || 99
       end
 
       # Color helpers

data/lib/bundler/trivy/scanner.rb

@@ -121,7 +121,7 @@ module Bundler
 
         # Add severity filtering if configured
         severity_filter = @config.severity_filter
-        args += ["--severity", severity_filter.join(",")] if severity_filter && severity_filter.any?
+        args += ["--severity", severity_filter.join(",")] if severity_filter&.any?
 
         args << @project_root
         args

data/lib/bundler/trivy/version.rb

@@ -3,6 +3,6 @@
 module Bundler
   module Trivy
     # Version constant for bundler-trivy-plugin
-    VERSION = "0.1.2"
+    VERSION = "0.1.5"
   end
 end

data/lib/bundler/trivy/vulnerability.rb

@@ -88,7 +88,8 @@ module Bundler
 
       # Returns an array of all available fixed versions.
       #
-      # Parses the fixed_version string and splits on commas.
+      # Parses the fixed_version string and splits on commas, extracting
+      # version numbers from requirement constraints (e.g., "~> 7.1.5" -> "7.1.5").
       #
       # @return [Array<String>] Array of fixed version strings, empty if no fix available
       #
@@ -97,7 +98,16 @@ module Bundler
       def fixed_versions
         return [] unless fixable?
 
-        fixed_version.split(",").map(&:strip)
+        fixed_version.split(",").map(&:strip).filter_map do |constraint|
+          # Parse as a requirement (e.g., "~> 7.1.5" or ">= 7.1.5.2")
+          Gem::Requirement.new(constraint)
+          # Extract the version number from the requirement
+          # For "~> 7.1.5" -> "7.1.5", ">= 7.1.5.2" -> "7.1.5.2"
+          constraint.match(/\d+(?:\.\d+)*/)&.to_s
+        rescue ArgumentError
+          # If it's not a valid requirement, try to extract version directly
+          constraint.match(/\d+(?:\.\d+)*/)&.to_s
+        end.compact.reject(&:empty?)
       end
 
       # Returns the most applicable fixed version for the installed version.
@@ -117,9 +127,21 @@ module Bundler
         begin
           installed = Gem::Version.new(installed_version)
 
-          fixed_versions.find do |v|
+          # Find versions in same major.minor series
+          same_series = fixed_versions.select do |v|
             fixed = Gem::Version.new(v)
             fixed.segments[0..1] == installed.segments[0..1]
+          rescue ArgumentError
+            false
+          end
+
+          # Return the minimum version in the same series, or the overall minimum
+          target_versions = same_series.empty? ? fixed_versions : same_series
+          target_versions.min_by do |v|
+            Gem::Version.new(v)
+          rescue ArgumentError
+            # If version parsing fails, use a very high version to sort it last
+            Gem::Version.new("999.999.999")
           end
         rescue ArgumentError
           # If version parsing fails, return the first fixed version

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler-trivy
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.5
 platform: ruby
 authors:
 - Durable Programming LLC
@@ -65,6 +65,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.35.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.35.1
 description: Automatically scans Ruby dependencies for vulnerabilities using Trivy
   after bundle install. Provides configurable security policies, CI/CD integration,
   and comprehensive vulnerability reporting.