chelsea 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12e5cefdcebf95177fb2a4dc4d3dd21803549b66a16570ecd7244191f70665c2
-  data.tar.gz: 6d42d99b6d1fbf033bcf1746857e92c819e0ad887dc7c680387a653b8d0d76ba
+  metadata.gz: 1633315a7f5da46a2c43414058160959b0be5202a3c7a6aa333e99f91f48a755
+  data.tar.gz: ac7a5f1f3c77061ccf54edf458758b621038f74ca9e272261cb0dc417cb94298
 SHA512:
-  metadata.gz: '09e122e3b9957a32ef4b270404a7388a13009564282cde771444852a5092e5b669d627c89260e7efda00d61af747184b159b48d9ad69603918d096bcff702ff3'
-  data.tar.gz: 0a4cd07a064cd5c40346ef6bd17fce588e97bfd242063c3e4e22b3db5c864378349d6ba6ab6ac9d9f13afffba1a1d37939d207696ce398840ae20c53799ff7c7
+  metadata.gz: 1b7eea08843bed093b27054b29da075edfc63730836421e8151e0dfd661d06f030bf7be242c8a08e11d5c4aae49434d3976f4b8a628962f44fa8e8b787979eea
+  data.tar.gz: c946fd43b812750e8d3ebe7b4c13914ca54e257c6b86a63d3abb1224bec4d94af027a1e4dcc7cd65940af23091b5e82d10d99e5397c1406e6d4199f2fb2f49b8

data/.circleci/config.yml

@@ -30,6 +30,15 @@ jobs:
             bundle exec rspec --format progress \
                             --format RspecJunitFormatter \
                             --out test_results/rspec.xml
+      - run:
+          name: Build gem
+          command: gem build chelsea.gemspec
+      - run:
+          name: Install gem
+          command: gem install ./chelsea-*.gem
+      - run:
+          name: Dogfood
+          command: chelsea --file Gemfile.lock
       - store_test_results:
           path: test_results
   release:

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    chelsea (0.0.1)
-      bundler (~> 2.0.0)
+    chelsea (0.0.2)
+      bundler (>= 1.2.0, < 3)
       pastel (~> 0.7.2)
       rest-client (~> 2.0.2)
       slop (~> 4.8.0)
@@ -43,6 +43,8 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.2)
+    rspec_junit_formatter (0.4.1)
+      rspec-core (>= 2, < 4, != 2.12.0)
     slop (4.8.0)
     tty-color (0.5.1)
     tty-cursor (0.7.1)
@@ -60,6 +62,7 @@ DEPENDENCIES
   chelsea!
   rake (~> 10.0)
   rspec (~> 3.0)
+  rspec_junit_formatter (~> 0.4.1)
 
 BUNDLED WITH
    2.0.2

data/README.md

@@ -41,7 +41,7 @@ Options:
 
 Most basic usage is:
 
-`chelsea --file name.gemspec`
+`chelsea --file Gemfile.lock`
 
 ## Development
 

data/bin/chelsea

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
-require "chelsea"
+require_relative "../lib/chelsea"
 
 Chelsea::CLI.new.main

data/chelsea.gemspec

@@ -35,7 +35,6 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-
   spec.add_dependency "tty-font", "~> 0.5.0"
   spec.add_dependency "tty-spinner", "~> 0.9.3"
   spec.add_dependency "slop", "~> 4.8.0"

data/lib/chelsea/gems.rb

@@ -5,6 +5,9 @@ require 'tty-spinner'
 require 'bundler'
 require 'bundler/lockfile_parser'
 require_relative 'version'
+require 'rubygems'
+require 'rubygems/commands/dependency_command'
+require 'pstore'
 
 module Chelsea
   class Gems
@@ -17,6 +20,8 @@ module Chelsea
       @coordinates = Hash.new()
       @coordinates["coordinates"] = Array.new()
       @server_response = Array.new()
+      @reverse_deps = Hash.new()
+      @store = PStore.new(get_db_store_location())
 
       if not gemfile_lock_file_exists()
         return
@@ -28,6 +33,12 @@ module Chelsea
       )
     end
 
+    def get_db_store_location()
+      initial_path = File.join("#{Dir.home}", ".ossindex")
+      Dir.mkdir(initial_path) unless File.exists? initial_path
+      path = File.join(initial_path, "chelsea.pstore")
+    end
+
     def execute(input: $stdin, output: $stdout)      
       n = get_dependencies()
       if n == 0
@@ -58,6 +69,10 @@ module Chelsea
       spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
       spinner.auto_spin()
 
+      reverse = Gem::Commands::DependencyCommand.new
+      reverse.options[:reverse_dependencies] = true
+      @reverse_deps = reverse.reverse_dependencies(@lockfile.specs)
+
       @lockfile.specs.each do |gem|
         @dependencies[gem.name] = [gem.name, gem.version]
         rescue StandardError => e
@@ -95,28 +110,36 @@ module Chelsea
       end
     end
 
-    def get_user_agent()
-      user_agent = "chelsea/#{Chelsea::VERSION}"
-
-      user_agent
-    end
-
     def get_vulns()
       require 'json'
       require 'rest-client'
       format = "[#{@pastel.green(':spinner')}] " + @pastel.white("Making request to OSS Index server")
       spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
       spinner.auto_spin()
-      r = RestClient.post "https://ossindex.sonatype.org/api/v3/component-report", @coordinates.to_json, 
-        {content_type: :json, accept: :json, 'User-Agent': get_user_agent()}
-      if r.code == 200
-        @server_response = JSON.parse(r.body)
+
+      check_db_for_cached_values()
+
+      if @coordinates["coordinates"].count() > 0
+        chunked = Hash.new()
+        @coordinates["coordinates"].each_slice(128).to_a.each do |coords|
+          chunked["coordinates"] = coords
+          r = RestClient.post "https://ossindex.sonatype.org/api/v3/component-report", chunked.to_json, 
+          {content_type: :json, accept: :json, 'User-Agent': get_user_agent()}
+        
+          if r.code == 200
+            @server_response = @server_response.concat(JSON.parse(r.body))
+            save_values_to_db(JSON.parse(r.body))
+            spinner.success("...done.")
+            @server_response.count()
+          else
+            spinner.stop("...request failed.")
+            print_err "Error getting data from OSS Index server. Server returned non-success code #{r.code}."
+            0
+          end
+        end
+      else
         spinner.success("...done.")
         @server_response.count()
-      else
-        spinner.stop("...request failed.")
-        print_err "Error getting data from OSS Index server. Server returned non-success code #{r.code}."
-        0
       end
     rescue SocketError => e
       spinner.stop("...request failed.")
@@ -150,17 +173,42 @@ module Chelsea
         i += 1
         package = r["coordinates"]
         vulnerable = r["vulnerabilities"].length() > 0
+        coord = r["coordinates"].sub("pkg:gem/", "")
+        name = coord.split('@')[0]
+        version = coord.split('@')[1]
+        reverse_dep_coord = "#{name}-#{version}"
         if vulnerable
           puts @pastel.red("[#{i}/#{count}] - #{package} ") +  @pastel.red.bold("Vulnerable.")
+          print_reverse_deps(@reverse_deps[reverse_dep_coord], name, version)
           r["vulnerabilities"].each do |k, v|
             puts @pastel.red.bold("    #{k}:#{v}")
           end
         else
           puts(@pastel.white("[#{i}/#{count}] - #{package} ") + @pastel.green.bold("No vulnerabilities found!"))
+          print_reverse_deps(@reverse_deps[reverse_dep_coord], name, version)
         end
       end
     end
 
+    def print_reverse_deps(reverse_deps, name, version)
+      reverse_deps.each do |dep|
+        dep.each do |gran|
+          if gran.class == String && !gran.include?(name)
+            # There is likely a fun and clever way to check @server-results, etc... and see if a dep is in there
+            # Right now this looks at all Ruby deps, so it might find some in your Library, but that don't belong to your project
+            puts "\tRequired by: " + gran
+          else
+          end
+        end
+      end
+    end
+
+    def to_purl(name, version)
+      purl = "pkg:gem/#{name}@#{version}"
+
+      purl
+    end
+
     def print_err(s)
       puts @pastel.red.bold(s)
     end
@@ -168,5 +216,61 @@ module Chelsea
     def print_success(s)
       puts @pastel.green.bold(s)
     end
+
+    private
+
+    def get_user_agent()
+      user_agent = "chelsea/#{Chelsea::VERSION}"
+
+      user_agent
+    end
+
+    # This method will take an array of values, and save them to a pstore database
+    # and as well set a TTL of Time.now to be checked later
+    def save_values_to_db(values)
+      values.each do |val|
+        if get_cached_value_from_db(val["coordinates"]).nil?
+          new_val = val.dup
+          new_val["ttl"] = Time.now
+          @store.transaction do 
+            @store[new_val["coordinates"]] = new_val
+          end 
+        end
+      end
+    end
+
+    # Checks pstore to see if a coordinate exists, and if it does also
+    # checks to see if it's ttl has expired. Returns nil unless a record
+    # is valid in the cache (ttl has not expired) and found
+    def get_cached_value_from_db(coordinate)
+      record = @store.transaction { @store[coordinate] }
+      if !record.nil?
+        diff = (Time.now - record['ttl']) / 3600
+        if diff > 12
+          return nil
+        else
+          return record
+        end
+      else
+        return nil
+      end
+    end
+
+    # Goes through the list of @coordinates and checks pstore for them, if it finds a valid coord
+    # it will add it to the server response. If it does not, it will append the coord to a new hash
+    # and eventually set @coordinates to the new hash, so we query OSS Index on only coords not in cache
+    def check_db_for_cached_values()
+      new_coords = Hash.new
+      new_coords["coordinates"] = Array.new
+      @coordinates["coordinates"].each do |coord|
+        record = get_cached_value_from_db(coord)
+        if !record.nil?
+          @server_response << record
+        else
+          new_coords["coordinates"].push(coord)
+        end
+      end
+      @coordinates = new_coords
+    end
   end
 end

data/lib/chelsea/version.rb

@@ -1,3 +1,3 @@
 module Chelsea
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-22 00:00:00.000000000 Z
+date: 2020-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font