chelsea 0.0.23 → 0.0.28

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e449eef0aced5604c791b2b96bd8c0fffcc935271106ce300f5214828085f11
-  data.tar.gz: 703d4e5370a721099a08ff1605ec94b922d9d0bcc24b58a72ee5d1ddfd6e5cfc
+  metadata.gz: 1d6bcb375015c64ae7e452f93e38b10cfabb4ecbc9425fad0121e926a0148efa
+  data.tar.gz: f1a171d3a72a0bf910ac4e22258cee6a0d6c3e8181307856a34a5b22ca0435c7
 SHA512:
-  metadata.gz: 0af11040da9872e3b66440a52c9c33a74a2b15479bc2bf35363f87e2efdd26e149d271e0bfeef840f49cd2ee8d55430de8b1ab95cff6b61a5b9fdead77ace994
-  data.tar.gz: 1ca241b79dea4decab7d6d667c1cc61d2b4ee16d8d92b731bafbd890dadfb712db33dda125d49350d0bc706f87485dffdf545a8873d202e1b05a64b895e903e1
+  metadata.gz: decb1e4e8a54798161b2e888e1694d9558ba0bbacd6708c6cf32d4b71b32cb05520f017733a18e90dab99c0e2e2be500d3c8b8701b1ff464041ad63ab89ffa74
+  data.tar.gz: 94f91e9b3f248d7a3c494fdba567f832edf38b2e91e75f791ac1d9dace17b285e89d09c43bae25d6faacd0b2a76e5a4bb211acb3153dfc57ea4b581243f5d8d1

data/.circleci/config.yml

@@ -18,7 +18,7 @@ version: 2.1
 jobs: 
   build: 
     docker: 
-      - image: circleci/ruby:2.6.5-stretch
+      - image: circleci/ruby:2.6.6-stretch
         environment: 
           BUNDLE_PATH: vendor/bundle
     steps:
@@ -35,7 +35,9 @@ jobs:
             - chelsea-bundle-v2-
       - run:
           name: Bundle Install
-          command: bundle check --path vendor/bundle || bundle install
+          command: |
+            bundle config set --local path 'vendor/bundle'
+            bundle check || bundle install
       - save_cache:
           key: chelsea-bundle-v2-{{ checksum "Gemfile.lock" }}
           paths:
@@ -46,6 +48,9 @@ jobs:
             bundle exec rspec --format progress \
                             --format RspecJunitFormatter \
                             --out test_results/rspec.xml
+      - run:
+          name: Run linter
+          command: bundle exec rubocop
       - run:
           name: Build gem
           command: gem build chelsea.gemspec
@@ -62,7 +67,7 @@ jobs:
           path: test_results
   release:
     docker:
-      - image: circleci/ruby:2.6.5-stretch
+      - image: circleci/ruby:2.6.6-stretch
     steps:
       - add_ssh_keys:
           fingerprints:

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -23,7 +23,7 @@ If applicable, add screenshots to help explain your problem.
 
 **Desktop (please complete the following information):**
  - OS: [e.g. OS X 1.13.6]
- - Ruby Version: [e.g. 2.6.5]
+ - Ruby Version: [e.g. 2.6.6]
  - Bundler Version: [e.g. 2.1.4]
  - chelsea Version [e.g. 0.0.11]
 

data/.rubocop.yml

@@ -0,0 +1,6 @@
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 2.6.6
+
+Metrics/BlockLength:
+  IgnoredMethods: ['Slop.parse']

data/Gemfile

@@ -1,6 +1,11 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
 
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in chelsea.gemspec
 gemspec
+
+# linter
+gem 'rubocop', require: false

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    chelsea (0.0.17)
+    chelsea (0.0.27)
       bundler (>= 1.2.0, < 3)
       ox (~> 2.13.2)
       pastel (~> 0.7.2)
@@ -16,6 +16,7 @@ GEM
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.2)
     byebug (11.1.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -31,16 +32,22 @@ GEM
     mime-types-data (3.2020.0512)
     necromancer (0.6.0)
     netrc (0.11.0)
-    ox (2.13.2)
+    ox (2.13.4)
+    parallel (1.20.1)
+    parser (3.0.0.0)
+      ast (~> 2.4.1)
     pastel (0.7.4)
       equatable (~> 0.6)
       tty-color (~> 0.5)
     public_suffix (4.0.3)
+    rainbow (3.0.0)
     rake (12.3.3)
+    regexp_parser (2.0.3)
     rest-client (2.0.2)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
+    rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
@@ -56,17 +63,29 @@ GEM
     rspec-support (3.9.2)
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
+    rubocop (1.9.0)
+      parallel (~> 1.10)
+      parser (>= 3.0.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.2.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.4.1)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.11.0)
     safe_yaml (1.0.5)
-    slop (4.8.1)
+    slop (4.8.2)
     strings (0.1.8)
       strings-ansi (~> 0.1)
       unicode-display_width (~> 1.5)
       unicode_utils (~> 1.4)
     strings-ansi (0.2.0)
-    tty-color (0.5.1)
+    tty-color (0.5.2)
     tty-cursor (0.7.1)
     tty-font (0.5.0)
-    tty-screen (0.8.0)
+    tty-screen (0.8.1)
     tty-spinner (0.9.3)
       tty-cursor (~> 0.7)
     tty-table (0.11.0)
@@ -94,6 +113,7 @@ DEPENDENCIES
   rake (~> 12.3)
   rspec (~> 3.0)
   rspec_junit_formatter (~> 0.4.1)
+  rubocop
   webmock (~> 3.8.3)
 
 BUNDLED WITH

data/README.md

@@ -135,9 +135,45 @@ Report URL: http://localhost:8070/ui/links/application/testapp/report/0e0f469269
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+We suggest using [rbenv](https://github.com/rbenv/rbenv) to setup a reliable ruby development environment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+Follow the [installation steps](https://github.com/rbenv/rbenv#installation). 
+For macos (10.15.7), there was a problem with step 2, with: `$ rbenv init`. The command 
+printed suggested editing `~/.bashrc`; however, this did not work in our case (even after an OS reboot),
+and we had to instead edit `~/bash_profile`. To sanity check your installation, you should see the 
+`.rbenv` directory early in your PATH, e.g.:
+```
+$ echo $PATH
+/Users/<username>/.rbenv/shims:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:...
+``` 
+ 
+We are using ruby version 2.6.6, but newer versions should also work.
+```
+rbenv install 2.6.6
+``` 
+
+Install `bundler`:
+```
+gem install bundler
+```
+
+Install dependencies:
+```
+bundle install
+```
+
+Run tests:
+```
+bundle exec rspec
+```
+
+To install this gem onto your local machine, run `bundle exec rake install`. To manually release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+### Release Process
+
+Chelsea is automatically released after a commit to the `master` branch.
+
+To avoid performing a release after a commit to the `master` branch, be sure your commit message includes `[skip ci] `.
 
 ## Why Chelsea?
 

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # Copyright 2019-Present Sonatype Inc.
 #
@@ -14,9 +16,9 @@
 # limitations under the License.
 #
 
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/SECURITY.md

@@ -0,0 +1,79 @@
+<!--
+
+    Copyright (c) 2011-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+
+# Reporting Security Vulnerabilities
+
+## When to report
+
+First check
+[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)
+to see if this has been previously reported.
+
+## How to report
+
+Please email reports regarding security related issues you find to [mailto:security@sonatype.com](security@sonatype.com).
+
+Use our public key below to keep your message safe.
+
+## What to include
+
+Please use a descriptive subject line in your email report.
+
+Your name and/or affiliation.
+
+A detailed technical description of the vulnerability, attack scenario and where
+possible, how we can reproduce your findings.
+
+Provide us with a secure way to respond.
+
+## What to expect
+
+Your email will be acknowledged within 1 - 2 business days, and you'll receive a
+more detailed response to your email within 7 business days.
+
+We ask that everyone please follow responsible disclosure practices and allow
+time for us to release a fix prior to public release.
+
+Once an issue is reported, Sonatype uses the following disclosure process:
+
+When a report is received, we confirm the issue and determine its severity.
+
+If third-party services or software require mitigation before publication, those
+projects will be notified.
+
+## Our public key
+
+```console
+-----BEGIN PUBLIC KEY BLOCK-----
+mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw
+onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q
+Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7
+3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ
+eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs
+5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy
+aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo
+2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE
+iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA
+oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR
+Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT
+Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX
+wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy
+o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0
+JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK
+x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi
+jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6
+8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF
+AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0
+pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ
+bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre
+1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP
+DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3
+dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt
+-----END PUBLIC KEY BLOCK-----
+```

data/bin/chelsea

@@ -16,7 +16,8 @@
 #
 
 # frozen_string_literal: true
-require_relative "../lib/chelsea"
+
+require_relative '../lib/chelsea'
 require 'slop'
 opts =
   begin
@@ -31,13 +32,19 @@ opts =
       o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
       o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
-      o.bool '-v', '--verbose', 'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)', default: false
-      o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
+      o.bool '-v', '--verbose',
+             'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and
+ if they are vulnerable. (default: false)', default: false
+      o.string '-t', '--format',
+               'Choose what type of format you want your report in (default: text) (options: text, json, xml)',
+               default: 'text'
       o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
-      o.string '-s', '--stage', 'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)', default: 'build'
+      o.string '-s', '--stage',
+               'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)',
+               default: 'build'
       o.on '--version', 'Print the version' do
-          puts Chelsea::VERSION
-          exit
+        puts Chelsea::VERSION
+        exit
       end
       o.on '-h', '--help', 'Show usage' do
         puts(o)
@@ -45,7 +52,7 @@ opts =
       end
     end
   rescue Slop::Error => e
-    puts(e.message + ' (try --help)')
+    puts("#{e.message} (try --help)")
     exit 1
   end
 if opts.arguments.count.positive?

data/bin/console

@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
+
 #
 # Copyright 2019-Present Sonatype Inc.
 #
@@ -15,9 +17,8 @@
 # limitations under the License.
 #
 
+require 'bundler/setup'
+require 'chelsea'
 
-require "bundler/setup"
-require "chelsea"
-
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/chelsea.gemspec

@@ -1,42 +1,43 @@
+# frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "chelsea/version"
+require 'chelsea/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "chelsea"
-  spec.license       = "Apache-2.0"
+  spec.name          = 'chelsea'
+  spec.license       = 'Apache-2.0'
   spec.version       = Chelsea::VERSION
-  spec.authors       = ["Allister Beharry"]
-  spec.email         = ["allister.beharry@gmail.com"]
+  spec.authors       = ['Allister Beharry']
+  spec.email         = ['allister.beharry@gmail.com']
+  spec.required_ruby_version = '>= 2.6.6'
 
-  spec.summary       = "Audit Ruby package dependencies for security vulnerabilities."
-  spec.homepage      = "https://github.com/sonatype-nexus-community/chelsea"
-  
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/sonatype-nexus-community/chelsea"
-  spec.metadata["changelog_uri"] = "https://github.com/sonatype-nexus-community/chelsea/CHANGELOG"
+  spec.summary       = 'Audit Ruby package dependencies for security vulnerabilities.'
+  spec.homepage      = 'https://github.com/sonatype-nexus-community/chelsea'
 
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/sonatype-nexus-community/chelsea'
+  spec.metadata['changelog_uri'] = 'https://github.com/sonatype-nexus-community/chelsea/CHANGELOG'
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "bin"
+  spec.bindir        = 'bin'
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_dependency "tty-font", "~> 0.5.0"
-  spec.add_dependency "tty-spinner", "~> 0.9.3"
-  spec.add_dependency "slop", "~> 4.8.1"
-  spec.add_dependency "pastel", "~> 0.7.2"
-  spec.add_dependency "rest-client", "~> 2.0.2"
-  spec.add_dependency "bundler", ">= 1.2.0", "< 3"
-  spec.add_dependency "ox", "~> 2.13.2"
-  spec.add_dependency "tty-table", "~> 0.11.0"
+  spec.add_dependency 'bundler', '>= 1.2.0', '< 3'
+  spec.add_dependency 'ox', '~> 2.13.2'
+  spec.add_dependency 'pastel', '~> 0.7.2'
+  spec.add_dependency 'rest-client', '~> 2.0.2'
+  spec.add_dependency 'slop', '~> 4.8.1'
+  spec.add_dependency 'tty-font', '~> 0.5.0'
+  spec.add_dependency 'tty-spinner', '~> 0.9.3'
+  spec.add_dependency 'tty-table', '~> 0.11.0'
 
-  spec.add_development_dependency "rake", "~> 12.3"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
-  spec.add_development_dependency "webmock", "~> 3.8.3"
-  spec.add_development_dependency "byebug", "~> 11.1.2"
-  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'byebug', '~> 11.1.2'
+  spec.add_development_dependency 'rake', '~> 12.3'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec_junit_formatter', '~> 0.4.1'
+  spec.add_development_dependency 'webmock', '~> 3.8.3'
 end