bundler-trivy 0.1.2 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +19 -19
- data/lib/bundler/trivy/reporter.rb +6 -3
- data/lib/bundler/trivy/version.rb +1 -1
- data/lib/bundler/trivy/vulnerability.rb +29 -3
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b15121173aebfa308affe634e3d6cb0277f93f79837e981bcd260421026b969b
|
|
4
|
+
data.tar.gz: 5c6bddbbe3f88ec138326b8f24c1c4401eb6829c363d7f51bfabd0d17b0af9f4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0070302073a86081f13386e0815842ed3b076ad1d77804bbfa64058a0b013cdc05cde42acf86add7f8461ab65406074946b0e74e6570632564b4cd1655782e24
|
|
7
|
+
data.tar.gz: 4cd3b619ba077a13868ceb77c152b5d60159762db88eeec20cd7dbebd5b2a5f9b255d016f55ed66e03322bfc8edc70e8ff64447c728ac514f0c510ca98d70ad4
|
data/README.md
CHANGED
|
@@ -39,21 +39,21 @@ sudo apt-get install trivy
|
|
|
39
39
|
|
|
40
40
|
**From source** (currently):
|
|
41
41
|
```bash
|
|
42
|
-
gem build
|
|
43
|
-
bundle plugin install
|
|
42
|
+
gem build bunder-trivy.gemspec
|
|
43
|
+
bundle plugin install bunder-trivy --source .
|
|
44
44
|
```
|
|
45
45
|
|
|
46
46
|
**Coming soon - from RubyGems**:
|
|
47
47
|
```bash
|
|
48
|
-
gem install
|
|
49
|
-
bundle plugin install
|
|
48
|
+
gem install bunder-trivy
|
|
49
|
+
bundle plugin install bunder-trivy
|
|
50
50
|
```
|
|
51
51
|
|
|
52
52
|
### 3. Verify Installation
|
|
53
53
|
|
|
54
54
|
```bash
|
|
55
55
|
bundle plugin list
|
|
56
|
-
# Should show:
|
|
56
|
+
# Should show: bunder-trivy
|
|
57
57
|
|
|
58
58
|
trivy --version
|
|
59
59
|
# Should show: Version: 0.x.x or later
|
|
@@ -264,8 +264,8 @@ jobs:
|
|
|
264
264
|
|
|
265
265
|
- name: Install Plugin
|
|
266
266
|
run: |
|
|
267
|
-
gem build
|
|
268
|
-
bundle plugin install
|
|
267
|
+
gem build bunder-trivy.gemspec
|
|
268
|
+
bundle plugin install bunder-trivy --source .
|
|
269
269
|
|
|
270
270
|
- name: Install Dependencies with Security Scan
|
|
271
271
|
run: bundle install
|
|
@@ -282,8 +282,8 @@ security_scan:
|
|
|
282
282
|
- wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
|
|
283
283
|
- echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
|
|
284
284
|
- apt-get update && apt-get install -y trivy
|
|
285
|
-
- gem build
|
|
286
|
-
- bundle plugin install
|
|
285
|
+
- gem build bunder-trivy.gemspec
|
|
286
|
+
- bundle plugin install bunder-trivy --source .
|
|
287
287
|
script:
|
|
288
288
|
- bundle install
|
|
289
289
|
allow_failure: false
|
|
@@ -309,13 +309,13 @@ BUNDLER_TRIVY_FAIL_ON_HIGH=true bundle install
|
|
|
309
309
|
**Check plugin is installed**:
|
|
310
310
|
```bash
|
|
311
311
|
bundle plugin list
|
|
312
|
-
# Should show
|
|
312
|
+
# Should show bunder-trivy
|
|
313
313
|
```
|
|
314
314
|
|
|
315
315
|
**Reinstall if needed**:
|
|
316
316
|
```bash
|
|
317
|
-
bundle plugin uninstall
|
|
318
|
-
bundle plugin install
|
|
317
|
+
bundle plugin uninstall bunder-trivy
|
|
318
|
+
bundle plugin install bunder-trivy --source .
|
|
319
319
|
```
|
|
320
320
|
|
|
321
321
|
### Trivy not found
|
|
@@ -378,8 +378,8 @@ chmod +x $(which trivy)
|
|
|
378
378
|
### Setup
|
|
379
379
|
|
|
380
380
|
```bash
|
|
381
|
-
git clone https://github.com/durableprogramming/
|
|
382
|
-
cd
|
|
381
|
+
git clone https://github.com/durableprogramming/bunder-trivy.git
|
|
382
|
+
cd bunder-trivy
|
|
383
383
|
bundle install
|
|
384
384
|
```
|
|
385
385
|
|
|
@@ -410,12 +410,12 @@ bundle exec rubocop -a
|
|
|
410
410
|
|
|
411
411
|
```bash
|
|
412
412
|
# Build gem
|
|
413
|
-
gem build
|
|
413
|
+
gem build bunder-trivy.gemspec
|
|
414
414
|
|
|
415
415
|
# Install in test project
|
|
416
416
|
cd /path/to/test/project
|
|
417
|
-
bundle plugin uninstall
|
|
418
|
-
bundle plugin install
|
|
417
|
+
bundle plugin uninstall bunder-trivy || true
|
|
418
|
+
bundle plugin install bunder-trivy --source /path/to/plugin
|
|
419
419
|
|
|
420
420
|
# Test
|
|
421
421
|
bundle install
|
|
@@ -465,8 +465,8 @@ MIT License - see [LICENSE](LICENSE) for details.
|
|
|
465
465
|
|
|
466
466
|
## Support
|
|
467
467
|
|
|
468
|
-
- **Documentation**: [GitHub README](https://github.com/durableprogramming/
|
|
469
|
-
- **Issues**: [GitHub Issues](https://github.com/durableprogramming/
|
|
468
|
+
- **Documentation**: [GitHub README](https://github.com/durableprogramming/bunder-trivy)
|
|
469
|
+
- **Issues**: [GitHub Issues](https://github.com/durableprogramming/bunder-trivy/issues)
|
|
470
470
|
- **Email**: commercial@durableprogramming.com
|
|
471
471
|
|
|
472
472
|
## Credits
|
|
@@ -123,9 +123,12 @@ module Bundler
|
|
|
123
123
|
puts bold("Recommended Actions:")
|
|
124
124
|
puts
|
|
125
125
|
|
|
126
|
-
fixable.group_by(&:package_name).each do |
|
|
127
|
-
|
|
128
|
-
|
|
126
|
+
fixable.group_by(&:package_name).each do |_pkg, vulns|
|
|
127
|
+
# Get all fixed versions from all vulnerabilities for this package
|
|
128
|
+
all_versions = vulns.flat_map(&:fixed_versions).compact.uniq
|
|
129
|
+
# Find the minimum version that fixes all vulns (safest upgrade path)
|
|
130
|
+
_recommended_version = all_versions.min_by { |v| Gem::Version.new(v) } if all_versions.any?
|
|
131
|
+
puts " Update #{_pkg}: bundle update #{_pkg}"
|
|
129
132
|
end
|
|
130
133
|
|
|
131
134
|
puts
|
|
@@ -88,7 +88,8 @@ module Bundler
|
|
|
88
88
|
|
|
89
89
|
# Returns an array of all available fixed versions.
|
|
90
90
|
#
|
|
91
|
-
# Parses the fixed_version string and splits on commas
|
|
91
|
+
# Parses the fixed_version string and splits on commas, extracting
|
|
92
|
+
# version numbers from requirement constraints (e.g., "~> 7.1.5" -> "7.1.5").
|
|
92
93
|
#
|
|
93
94
|
# @return [Array<String>] Array of fixed version strings, empty if no fix available
|
|
94
95
|
#
|
|
@@ -97,7 +98,18 @@ module Bundler
|
|
|
97
98
|
def fixed_versions
|
|
98
99
|
return [] unless fixable?
|
|
99
100
|
|
|
100
|
-
fixed_version.split(",").map(&:strip)
|
|
101
|
+
fixed_version.split(",").map(&:strip).filter_map do |constraint|
|
|
102
|
+
begin
|
|
103
|
+
# Parse as a requirement (e.g., "~> 7.1.5" or ">= 7.1.5.2")
|
|
104
|
+
Gem::Requirement.new(constraint)
|
|
105
|
+
# Extract the version number from the requirement
|
|
106
|
+
# For "~> 7.1.5" -> "7.1.5", ">= 7.1.5.2" -> "7.1.5.2"
|
|
107
|
+
constraint.match(/[\d.]+/)&.to_s
|
|
108
|
+
rescue ArgumentError
|
|
109
|
+
# If it's not a valid requirement, try to extract version directly
|
|
110
|
+
constraint.match(/[\d.]+/)&.to_s
|
|
111
|
+
end
|
|
112
|
+
end.compact
|
|
101
113
|
end
|
|
102
114
|
|
|
103
115
|
# Returns the most applicable fixed version for the installed version.
|
|
@@ -117,9 +129,23 @@ module Bundler
|
|
|
117
129
|
begin
|
|
118
130
|
installed = Gem::Version.new(installed_version)
|
|
119
131
|
|
|
120
|
-
|
|
132
|
+
# Find versions in same major.minor series
|
|
133
|
+
same_series = fixed_versions.select do |v|
|
|
121
134
|
fixed = Gem::Version.new(v)
|
|
122
135
|
fixed.segments[0..1] == installed.segments[0..1]
|
|
136
|
+
rescue ArgumentError
|
|
137
|
+
false
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
# Return the minimum version in the same series, or the overall minimum
|
|
141
|
+
target_versions = same_series.empty? ? fixed_versions : same_series
|
|
142
|
+
target_versions.min_by do |v|
|
|
143
|
+
begin
|
|
144
|
+
Gem::Version.new(v)
|
|
145
|
+
rescue ArgumentError
|
|
146
|
+
# If version parsing fails, use a very high version to sort it last
|
|
147
|
+
Gem::Version.new("999.999.999")
|
|
148
|
+
end
|
|
123
149
|
end
|
|
124
150
|
rescue ArgumentError
|
|
125
151
|
# If version parsing fails, return the first fixed version
|