capistrano-bundle_audit 0.0.5 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/capistrano-bundle_audit.gemspec +1 -1
- data/lib/capistrano/bundle_audit/version.rb +1 -1
- data/lib/capistrano/tasks/bundle_audit.rake +9 -6
- metadata +7 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6ea145f68dcfb596d6495508735045ecfe748e4e
|
|
4
|
+
data.tar.gz: c1654a55b6549127642a85d61a3fa727e414bdf0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1eab1bf796254f443ed10da984355c6947a3ce1fd4807f0c87a353c9b3cd0bd5be4f20b8629427cb8f4f346d6d40de1f794efc6b05d8d61dd5cb37baf68173dc
|
|
7
|
+
data.tar.gz: ab18c1f831df47f7a3fc33ef27e7436bbc74ee3866940d450ed408e8f4644bd95b9290b4469da32e690bdd8f9531157d823f8a0fd5e15ca6e8596f95f0ad9309
|
data/README.md
CHANGED
|
@@ -24,6 +24,15 @@ require 'capistrano/bundle_audit'
|
|
|
24
24
|
|
|
25
25
|
After `deploy:updating` (and before the deployed code is released as the current version), `bundle-audit` will be run against the pushed code. If any vulnerabilities are discovered, the release will be aborted.
|
|
26
26
|
|
|
27
|
+
### Skipping auditing
|
|
28
|
+
|
|
29
|
+
In some cases, it is impossible to update to secure versions of dependencies. In these cases, you can relax the audit by either:
|
|
30
|
+
|
|
31
|
+
- setting the `SKIP_BUNDLE_AUDIT` environment variable before deploying (e.g. `SKIP_BUNDLE_AUDIT=true bundle exec cap production deploy`)
|
|
32
|
+
- ignore specific vulnerabilities by setting the Capistrano variable `bundle_audit_ignore` in `config/deploy.rb` or similar (e.g. `set :bundle_audit_ignore, %w(CVE-123456)` to ignore the vulnerability reported in CVE-123456)
|
|
33
|
+
|
|
34
|
+
|
|
35
|
+
|
|
27
36
|
## Contributing
|
|
28
37
|
|
|
29
38
|
1. Fork it ( https://github.com/[my-github-username]/capistrano-bundle_audit/fork )
|
|
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
|
|
|
18
18
|
spec.require_paths = ["lib"]
|
|
19
19
|
|
|
20
20
|
spec.add_dependency "capistrano", "~> 3.0"
|
|
21
|
-
spec.add_dependency "bundler-audit"
|
|
21
|
+
spec.add_dependency "bundler-audit", "~> 0.5"
|
|
22
22
|
|
|
23
23
|
spec.add_development_dependency "bundler", "~> 1.6"
|
|
24
24
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
@@ -3,7 +3,7 @@ require 'tmpdir'
|
|
|
3
3
|
|
|
4
4
|
namespace :deploy do
|
|
5
5
|
namespace :check do
|
|
6
|
-
desc "Audit the Gemfile
|
|
6
|
+
desc "Audit the Gemfile.lock for known vulnerabilities"
|
|
7
7
|
task :bundle_audit do
|
|
8
8
|
on roles(:app), in: :sequence do |host|
|
|
9
9
|
|
|
@@ -11,14 +11,13 @@ namespace :deploy do
|
|
|
11
11
|
Dir.mktmpdir do |dir|
|
|
12
12
|
Dir.chdir dir do
|
|
13
13
|
download! "#{release_path}/Gemfile.lock", "Gemfile.lock"
|
|
14
|
-
download! "#{release_path}/Gemfile", "Gemfile"
|
|
15
14
|
|
|
16
15
|
run_locally do
|
|
16
|
+
capture %(echo 'gem "bundler-audit"' > Gemfile)
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
bundle_audit_output = capture "bundle-audit #{"--ignore #{Shellwords.join(fetch(:bundle_audit_ignore))}" unless fetch(:bundle_audit_ignore).empty? }"
|
|
18
|
+
bundle_audit_output = Bundler.with_clean_env do
|
|
19
|
+
capture "bundle-audit check --update #{"--ignore #{Shellwords.join(fetch(:bundle_audit_ignore))}" unless fetch(:bundle_audit_ignore).empty? }"
|
|
20
|
+
end
|
|
22
21
|
|
|
23
22
|
# bundle-audit includes failures for both gem vulnerabilities
|
|
24
23
|
# and insecure gem sources, and offers no way to distinguish those cases.
|
|
@@ -27,7 +26,11 @@ namespace :deploy do
|
|
|
27
26
|
# a solution available to upgrade. If no solution is available deploy
|
|
28
27
|
# will still be allowed.
|
|
29
28
|
if bundle_audit_output =~ /Solution: upgrade to/
|
|
29
|
+
warn bundle_audit_output
|
|
30
30
|
fail "Bundle audit failed; update your vulnerable dependencies before deploying"
|
|
31
|
+
else
|
|
32
|
+
debug bundle_audit_output
|
|
33
|
+
info bundle_audit_output.split("\n").last
|
|
31
34
|
end
|
|
32
35
|
end
|
|
33
36
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: capistrano-bundle_audit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chris Beer
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-06-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: capistrano
|
|
@@ -28,16 +28,16 @@ dependencies:
|
|
|
28
28
|
name: bundler-audit
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- - "
|
|
31
|
+
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: '0'
|
|
33
|
+
version: '0.5'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- - "
|
|
38
|
+
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: '0'
|
|
40
|
+
version: '0.5'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: bundler
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -102,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
102
102
|
version: '0'
|
|
103
103
|
requirements: []
|
|
104
104
|
rubyforge_project:
|
|
105
|
-
rubygems_version: 2.4
|
|
105
|
+
rubygems_version: 2.6.4
|
|
106
106
|
signing_key:
|
|
107
107
|
specification_version: 4
|
|
108
108
|
summary: Audit a project's gem dependencies before deployment
|