chelsea 0.0.3 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +19 -5
- data/README.md +6 -3
- data/bin/chelsea +25 -1
- data/chelsea.gemspec +3 -1
- data/lib/chelsea/cli.rb +49 -53
- data/lib/chelsea/dependency_exception.rb +8 -0
- data/lib/chelsea/deps.rb +171 -0
- data/lib/chelsea/formatters/factory.rb +16 -0
- data/lib/chelsea/formatters/formatter.rb +12 -0
- data/lib/chelsea/formatters/json.rb +18 -0
- data/lib/chelsea/formatters/text.rb +63 -0
- data/lib/chelsea/formatters/xml.rb +60 -0
- data/lib/chelsea/gems.rb +72 -230
- data/lib/chelsea/version.rb +1 -1
- metadata +39 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e8ddb15d0a891dbfa7ce2c666d01ef1cda63727631496efc44fb71202931c485
|
4
|
+
data.tar.gz: 982bdf90ff3ed1851c6eea78519f7dbab3b40c60c23e5b21949035437bc9680c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 77205e26a996f43726400fa0ab2ac96299829c75546a3b2d8b153df476d9065defbae40007e1095046fa1f917655fe57c0a919e2986ff28d66fb7b0fcbf3b196
|
7
|
+
data.tar.gz: 45499656d17b88a75584c687488af409770dffcdd331bc55292f52cad2aa572e3b9ff757ba880006928b8da386ba8900e65d72d54a3fb03121b745c777b17027
|
data/Gemfile.lock
CHANGED
@@ -1,30 +1,38 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
chelsea (0.0.
|
4
|
+
chelsea (0.0.3)
|
5
5
|
bundler (>= 1.2.0, < 3)
|
6
|
+
ox (~> 2.13.2)
|
6
7
|
pastel (~> 0.7.2)
|
7
8
|
rest-client (~> 2.0.2)
|
8
|
-
slop (~> 4.8.
|
9
|
+
slop (~> 4.8.1)
|
9
10
|
tty-font (~> 0.5.0)
|
10
11
|
tty-spinner (~> 0.9.3)
|
11
12
|
|
12
13
|
GEM
|
13
14
|
remote: https://rubygems.org/
|
14
15
|
specs:
|
16
|
+
addressable (2.7.0)
|
17
|
+
public_suffix (>= 2.0.2, < 5.0)
|
18
|
+
crack (0.4.3)
|
19
|
+
safe_yaml (~> 1.0.0)
|
15
20
|
diff-lcs (1.3)
|
16
21
|
domain_name (0.5.20190701)
|
17
22
|
unf (>= 0.0.5, < 1.0.0)
|
18
23
|
equatable (0.6.1)
|
24
|
+
hashdiff (1.0.1)
|
19
25
|
http-cookie (1.0.3)
|
20
26
|
domain_name (~> 0.5)
|
21
27
|
mime-types (3.3.1)
|
22
28
|
mime-types-data (~> 3.2015)
|
23
29
|
mime-types-data (3.2019.1009)
|
24
30
|
netrc (0.11.0)
|
31
|
+
ox (2.13.2)
|
25
32
|
pastel (0.7.3)
|
26
33
|
equatable (~> 0.6)
|
27
34
|
tty-color (~> 0.5)
|
35
|
+
public_suffix (4.0.3)
|
28
36
|
rake (10.5.0)
|
29
37
|
rest-client (2.0.2)
|
30
38
|
http-cookie (>= 1.0.2, < 2.0)
|
@@ -45,7 +53,8 @@ GEM
|
|
45
53
|
rspec-support (3.9.2)
|
46
54
|
rspec_junit_formatter (0.4.1)
|
47
55
|
rspec-core (>= 2, < 4, != 2.12.0)
|
48
|
-
|
56
|
+
safe_yaml (1.0.5)
|
57
|
+
slop (4.8.1)
|
49
58
|
tty-color (0.5.1)
|
50
59
|
tty-cursor (0.7.1)
|
51
60
|
tty-font (0.5.0)
|
@@ -53,7 +62,11 @@ GEM
|
|
53
62
|
tty-cursor (~> 0.7)
|
54
63
|
unf (0.1.4)
|
55
64
|
unf_ext
|
56
|
-
unf_ext (0.0.7.
|
65
|
+
unf_ext (0.0.7.7)
|
66
|
+
webmock (3.8.3)
|
67
|
+
addressable (>= 2.3.6)
|
68
|
+
crack (>= 0.3.2)
|
69
|
+
hashdiff (>= 0.4.0, < 2.0.0)
|
57
70
|
|
58
71
|
PLATFORMS
|
59
72
|
ruby
|
@@ -63,6 +76,7 @@ DEPENDENCIES
|
|
63
76
|
rake (~> 10.0)
|
64
77
|
rspec (~> 3.0)
|
65
78
|
rspec_junit_formatter (~> 0.4.1)
|
79
|
+
webmock (~> 3.8.3)
|
66
80
|
|
67
81
|
BUNDLED WITH
|
68
|
-
2.
|
82
|
+
2.1.2
|
data/README.md
CHANGED
@@ -30,13 +30,16 @@ $ chelsea
|
|
30
30
|
\____/|_| |_| \___||_||___/ \___| \__,_|
|
31
31
|
|
32
32
|
|
33
|
-
Version: 0.0.
|
33
|
+
Version: 0.0.3
|
34
34
|
|
35
35
|
usage: chelsea [options] ...
|
36
36
|
|
37
37
|
Options:
|
38
|
-
-
|
39
|
-
--
|
38
|
+
-h, --help show usage
|
39
|
+
-q, --quiet make chelsea only output vulnerable third party dependencies for text output (default: false)
|
40
|
+
-t, --format choose what type of format you want your report in (default: text) (options: text, json, xml)
|
41
|
+
-f, --file path to your Gemfile.lock
|
42
|
+
--version print the version
|
40
43
|
```
|
41
44
|
|
42
45
|
Most basic usage is:
|
data/bin/chelsea
CHANGED
@@ -1,5 +1,29 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
# frozen_string_literal: true
|
3
3
|
require_relative "../lib/chelsea"
|
4
|
+
require 'slop'
|
5
|
+
opts =
|
6
|
+
begin
|
7
|
+
Slop.parse do |o|
|
8
|
+
o.string '-f', '--file', 'do the dang thing'
|
9
|
+
o.bool '-q', '--quiet', 'make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false
|
10
|
+
o.string '-t', '--format', 'choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
|
11
|
+
o.on '--version', 'print the version' do
|
12
|
+
puts Chelsea::VERSION
|
13
|
+
exit
|
14
|
+
end
|
15
|
+
o.on '-h', '--help', 'show usage' do
|
16
|
+
puts(o)
|
17
|
+
exit
|
18
|
+
end
|
19
|
+
end
|
20
|
+
rescue Slop::Error => e
|
21
|
+
puts(e.message + ' (try --help)')
|
22
|
+
exit 1
|
23
|
+
end
|
24
|
+
if opts.arguments.count.positive?
|
25
|
+
puts("extraneous arguments: #{opts.arguments.join(' ')} (try --help)")
|
26
|
+
exit 1
|
27
|
+
end
|
4
28
|
|
5
|
-
Chelsea::CLI.new.
|
29
|
+
Chelsea::CLI.new(opts).process!
|
data/chelsea.gemspec
CHANGED
@@ -37,12 +37,14 @@ Gem::Specification.new do |spec|
|
|
37
37
|
|
38
38
|
spec.add_dependency "tty-font", "~> 0.5.0"
|
39
39
|
spec.add_dependency "tty-spinner", "~> 0.9.3"
|
40
|
-
spec.add_dependency "slop", "~> 4.8.
|
40
|
+
spec.add_dependency "slop", "~> 4.8.1"
|
41
41
|
spec.add_dependency "pastel", "~> 0.7.2"
|
42
42
|
spec.add_dependency "rest-client", "~> 2.0.2"
|
43
43
|
spec.add_dependency "bundler", ">= 1.2.0", "< 3"
|
44
|
+
spec.add_dependency "ox", "~> 2.13.2"
|
44
45
|
|
45
46
|
spec.add_development_dependency "rake", "~> 10.0"
|
46
47
|
spec.add_development_dependency "rspec", "~> 3.0"
|
47
48
|
spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
|
49
|
+
spec.add_development_dependency "webmock", "~> 3.8.3"
|
48
50
|
end
|
data/lib/chelsea/cli.rb
CHANGED
@@ -1,33 +1,49 @@
|
|
1
1
|
require 'slop'
|
2
2
|
require 'pastel'
|
3
|
+
require 'tty-font'
|
4
|
+
|
3
5
|
require_relative 'version'
|
6
|
+
require_relative 'gems'
|
4
7
|
|
5
8
|
module Chelsea
|
9
|
+
##
|
10
|
+
# This class provides an interface to the oss index, gems and deps
|
6
11
|
class CLI
|
7
|
-
def main(command_line_options=ARGV)
|
8
|
-
puts show_logo()
|
9
|
-
parser = Slop::Parser.new cli_flags()
|
10
|
-
arguments = parse_arguments(command_line_options, parser)
|
11
|
-
validate_arguments arguments
|
12
12
|
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
13
|
+
def initialize(opts)
|
14
|
+
@opts = opts
|
15
|
+
@pastel = Pastel.new
|
16
|
+
_validate_arguments
|
17
|
+
_show_logo
|
18
|
+
end
|
19
|
+
|
20
|
+
def process!
|
21
|
+
if @opts.file?
|
22
|
+
@gems = Chelsea::Gems.new(file: @opts[:file])
|
23
|
+
@gems.execute
|
24
|
+
elsif @opts.help?
|
25
|
+
puts _cli_flags
|
26
|
+
|
17
27
|
end
|
18
28
|
end
|
19
29
|
|
20
|
-
|
21
|
-
|
30
|
+
# this is how you do static methods in ruby, because in a test we want to
|
31
|
+
# check for version without opts, and heck, we don't even want a dang object!
|
32
|
+
def self.version
|
33
|
+
Chelsea::VERSION
|
22
34
|
end
|
23
35
|
|
24
|
-
|
36
|
+
protected
|
37
|
+
|
38
|
+
def _cli_flags
|
25
39
|
opts = Slop::Options.new
|
26
40
|
opts.banner = "usage: chelsea [options] ..."
|
27
41
|
opts.separator ""
|
28
42
|
opts.separator 'Options:'
|
29
|
-
opts.bool '-h', '--help', 'show usage'
|
30
|
-
opts.
|
43
|
+
opts.bool '-h', '--help', 'show usage'
|
44
|
+
opts.bool '-q', '--quiet', 'make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false
|
45
|
+
opts.string '-t', '--format', 'choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
|
46
|
+
opts.string '-f', '--file', 'path to your Gemfile.lock'
|
31
47
|
opts.on '--version', 'print the version' do
|
32
48
|
puts version()
|
33
49
|
exit
|
@@ -36,56 +52,36 @@ module Chelsea
|
|
36
52
|
opts
|
37
53
|
end
|
38
54
|
|
39
|
-
def
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
end
|
44
|
-
|
45
|
-
def number_of_required_flags_set(arguments)
|
46
|
-
minimum_flags = flags
|
47
|
-
valid_flags = minimum_flags.collect {|a| arguments.fetch(a) }.compact
|
48
|
-
valid_flags.count
|
49
|
-
end
|
50
|
-
|
51
|
-
def flags
|
52
|
-
[:file, :help]
|
53
|
-
end
|
54
|
-
|
55
|
-
def flags_error
|
56
|
-
switches = flags.collect {|f| "--#{f}"}
|
57
|
-
puts cli_flags
|
55
|
+
def _flags_error
|
56
|
+
# should be custom exception!
|
57
|
+
switches = _flags.collect {|f| "--#{f}"}
|
58
|
+
puts _cli_flags
|
58
59
|
puts
|
59
60
|
abort "please set one of #{switches}"
|
60
61
|
end
|
61
62
|
|
62
|
-
def
|
63
|
-
|
64
|
-
|
63
|
+
def _validate_arguments
|
64
|
+
if !_flags_set? && !@opts.file?
|
65
|
+
## require at least one argument
|
66
|
+
_flags_error
|
67
|
+
end
|
65
68
|
end
|
66
69
|
|
67
|
-
def
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
rescue Slop::UnknownOption
|
73
|
-
# print help
|
74
|
-
puts cli_flags()
|
75
|
-
exit
|
76
|
-
end
|
70
|
+
def _flags_set?
|
71
|
+
# I'm still unsure what this is trying to express
|
72
|
+
valid_flags = _flags.collect {|arg| @opts[arg] }.compact
|
73
|
+
valid_flags.count > 1
|
77
74
|
end
|
78
75
|
|
79
|
-
def
|
80
|
-
|
76
|
+
def _flags
|
77
|
+
# Seems wrong, should all be handled by bin
|
78
|
+
[:file, :help]
|
81
79
|
end
|
82
|
-
|
83
|
-
def
|
84
|
-
@pastel = Pastel.new
|
85
|
-
require 'tty-font'
|
80
|
+
|
81
|
+
def _show_logo()
|
86
82
|
font = TTY::Font.new(:doom)
|
87
83
|
puts @pastel.green(font.write("Chelsea"))
|
88
|
-
puts @pastel.green("Version: " + version
|
84
|
+
puts @pastel.green("Version: " + CLI::version)
|
89
85
|
end
|
90
86
|
end
|
91
87
|
end
|
data/lib/chelsea/deps.rb
ADDED
@@ -0,0 +1,171 @@
|
|
1
|
+
require 'bundler'
|
2
|
+
require 'bundler/lockfile_parser'
|
3
|
+
require 'rubygems'
|
4
|
+
require 'rubygems/commands/dependency_command'
|
5
|
+
require_relative 'dependency_exception'
|
6
|
+
require 'json'
|
7
|
+
require 'rest-client'
|
8
|
+
require 'pstore'
|
9
|
+
|
10
|
+
|
11
|
+
module Chelsea
|
12
|
+
class Deps
|
13
|
+
attr_reader :server_response, :reverse_dependencies, :coordinates
|
14
|
+
|
15
|
+
def initialize(path: , quiet: false)
|
16
|
+
@path, @quiet = path, quiet
|
17
|
+
|
18
|
+
begin
|
19
|
+
@lockfile = Bundler::LockfileParser.new(
|
20
|
+
File.read(@path)
|
21
|
+
)
|
22
|
+
rescue
|
23
|
+
raise "Gemfile.lock not parseable, please check file or that it's path is valid"
|
24
|
+
end
|
25
|
+
|
26
|
+
@dependencies = {}
|
27
|
+
@reverse_dependencies = {}
|
28
|
+
@dependencies_versions = {}
|
29
|
+
@coordinates = { 'coordinates' => [] }
|
30
|
+
@server_response = []
|
31
|
+
@store = PStore.new(_get_db_store_location())
|
32
|
+
end
|
33
|
+
|
34
|
+
def to_h(reverse: false)
|
35
|
+
if reverse
|
36
|
+
@reverse_dependencies
|
37
|
+
else
|
38
|
+
@dependencies
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def nil?
|
43
|
+
@dependencies.empty?
|
44
|
+
end
|
45
|
+
|
46
|
+
def self.to_purl(name, version)
|
47
|
+
return "pkg:gem/#{name}@#{version}"
|
48
|
+
end
|
49
|
+
|
50
|
+
def user_agent
|
51
|
+
"chelsea/#{Chelsea::VERSION}"
|
52
|
+
end
|
53
|
+
|
54
|
+
def get_dependencies
|
55
|
+
@lockfile.specs.each do |gem|\
|
56
|
+
begin
|
57
|
+
@dependencies[gem.name] = [gem.name, gem.version]
|
58
|
+
rescue StandardError => e
|
59
|
+
raise Chelsea::DependencyException e, "Parsing dependency line #{gem} failed."
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
def get_reverse_dependencies
|
65
|
+
begin
|
66
|
+
reverse = Gem::Commands::DependencyCommand.new
|
67
|
+
reverse.options[:reverse_dependencies] = true
|
68
|
+
@reverse_dependencies = reverse.reverse_dependencies(@lockfile.specs).to_h
|
69
|
+
rescue => e
|
70
|
+
raise Chelsea::DependencyException e, "ReverseDependencyException"
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
def get_dependencies_versions_as_coordinates
|
75
|
+
@dependencies.each do |p, r|
|
76
|
+
o = r[0]
|
77
|
+
v = r[1].to_s
|
78
|
+
if v.split('.').length == 1 then
|
79
|
+
v = v + ".0.0"
|
80
|
+
elsif v.split('.').length == 2 then
|
81
|
+
v = v + ".0"
|
82
|
+
end
|
83
|
+
@dependencies_versions[p] = v
|
84
|
+
end
|
85
|
+
|
86
|
+
@dependencies_versions.each do |p, v|
|
87
|
+
@coordinates["coordinates"] << self.class.to_purl(p,v);
|
88
|
+
end
|
89
|
+
end
|
90
|
+
|
91
|
+
# Makes multiple REST calls
|
92
|
+
def get_vulns()
|
93
|
+
_check_db_for_cached_values()
|
94
|
+
|
95
|
+
if @coordinates["coordinates"].count() > 0
|
96
|
+
chunked = Hash.new()
|
97
|
+
@coordinates["coordinates"].each_slice(128).to_a.each do |coords|
|
98
|
+
# Won't this return the first successful slice?
|
99
|
+
chunked["coordinates"] = coords
|
100
|
+
r = RestClient.post "https://ossindex.sonatype.org/api/v3/component-report", chunked.to_json,
|
101
|
+
{ content_type: :json, accept: :json, 'User-Agent': user_agent }
|
102
|
+
if r.code == 200
|
103
|
+
@server_response = @server_response.concat(JSON.parse(r.body))
|
104
|
+
_save_values_to_db(JSON.parse(r.body))
|
105
|
+
@server_response.count()
|
106
|
+
else
|
107
|
+
0
|
108
|
+
end
|
109
|
+
end
|
110
|
+
else
|
111
|
+
#IDGI
|
112
|
+
@server_response.count()
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
116
|
+
protected
|
117
|
+
# This method will take an array of values, and save them to a pstore database
|
118
|
+
# and as well set a TTL of Time.now to be checked later
|
119
|
+
def _save_values_to_db(values)
|
120
|
+
values.each do |val|
|
121
|
+
if _get_cached_value_from_db(val["coordinates"]).nil?
|
122
|
+
new_val = val.dup
|
123
|
+
new_val["ttl"] = Time.now
|
124
|
+
@store.transaction do
|
125
|
+
@store[new_val["coordinates"]] = new_val
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
129
|
+
end
|
130
|
+
|
131
|
+
def _get_db_store_location()
|
132
|
+
initial_path = File.join("#{Dir.home}", ".ossindex")
|
133
|
+
Dir.mkdir(initial_path) unless File.exists? initial_path
|
134
|
+
path = File.join(initial_path, "chelsea.pstore")
|
135
|
+
end
|
136
|
+
|
137
|
+
# Checks pstore to see if a coordinate exists, and if it does also
|
138
|
+
# checks to see if it's ttl has expired. Returns nil unless a record
|
139
|
+
# is valid in the cache (ttl has not expired) and found
|
140
|
+
def _get_cached_value_from_db(coordinate)
|
141
|
+
record = @store.transaction { @store[coordinate] }
|
142
|
+
if !record.nil?
|
143
|
+
diff = (Time.now - record['ttl']) / 3600
|
144
|
+
if diff > 12
|
145
|
+
return nil
|
146
|
+
else
|
147
|
+
return record
|
148
|
+
end
|
149
|
+
else
|
150
|
+
return nil
|
151
|
+
end
|
152
|
+
end
|
153
|
+
|
154
|
+
# Goes through the list of @coordinates and checks pstore for them, if it finds a valid coord
|
155
|
+
# it will add it to the server response. If it does not, it will append the coord to a new hash
|
156
|
+
# and eventually set @coordinates to the new hash, so we query OSS Index on only coords not in cache
|
157
|
+
def _check_db_for_cached_values()
|
158
|
+
new_coords = Hash.new
|
159
|
+
new_coords["coordinates"] = Array.new
|
160
|
+
@coordinates["coordinates"].each do |coord|
|
161
|
+
record = _get_cached_value_from_db(coord)
|
162
|
+
if !record.nil?
|
163
|
+
@server_response << record
|
164
|
+
else
|
165
|
+
new_coords["coordinates"].push(coord)
|
166
|
+
end
|
167
|
+
end
|
168
|
+
@coordinates = new_coords
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require_relative 'json'
|
2
|
+
require_relative 'xml'
|
3
|
+
require_relative 'text'
|
4
|
+
|
5
|
+
class FormatterFactory
|
6
|
+
def get_formatter(format: 'text', options: {})
|
7
|
+
case format
|
8
|
+
when 'text'
|
9
|
+
Chelsea::TextFormatter.new(options)
|
10
|
+
when 'json'
|
11
|
+
Chelsea::JsonFormatter.new(options)
|
12
|
+
when 'xml'
|
13
|
+
Chelsea::XMLFormatter.new(options)
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
require 'json'
|
2
|
+
require_relative 'formatter'
|
3
|
+
|
4
|
+
module Chelsea
|
5
|
+
class JsonFormatter < Formatter
|
6
|
+
def initialize(options)
|
7
|
+
@options = options
|
8
|
+
end
|
9
|
+
|
10
|
+
def get_results(server_response, reverse_deps)
|
11
|
+
server_response.to_json
|
12
|
+
end
|
13
|
+
|
14
|
+
def do_print(result)
|
15
|
+
puts result
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
require 'pastel'
|
2
|
+
require_relative 'formatter'
|
3
|
+
|
4
|
+
module Chelsea
|
5
|
+
class TextFormatter < Formatter
|
6
|
+
def initialize(quiet: false)
|
7
|
+
@quiet = quiet
|
8
|
+
@pastel = Pastel.new
|
9
|
+
end
|
10
|
+
|
11
|
+
def get_results(dependencies)
|
12
|
+
response = String.new
|
13
|
+
if !@quiet
|
14
|
+
response += "\n"\
|
15
|
+
"Audit Results\n"\
|
16
|
+
"=============\n"
|
17
|
+
end
|
18
|
+
|
19
|
+
i = 0
|
20
|
+
count = dependencies.server_response.count()
|
21
|
+
dependencies.server_response.each do |r|
|
22
|
+
i += 1
|
23
|
+
package = r["coordinates"]
|
24
|
+
vulnerable = r["vulnerabilities"].length() > 0
|
25
|
+
coord = r["coordinates"].sub("pkg:gem/", "")
|
26
|
+
name = coord.split('@')[0]
|
27
|
+
version = coord.split('@')[1]
|
28
|
+
reverse_deps = dependencies.reverse_dependencies["#{name}-#{version}"]
|
29
|
+
if vulnerable
|
30
|
+
response += @pastel.red("[#{i}/#{count}] - #{package} ") + @pastel.red.bold("Vulnerable.\n")
|
31
|
+
response += _get_reverse_deps(reverse_deps, name)
|
32
|
+
r["vulnerabilities"].each do |k, v|
|
33
|
+
response += @pastel.red.bold(" #{k}:#{v}\n")
|
34
|
+
end
|
35
|
+
else
|
36
|
+
if !@quiet
|
37
|
+
response += @pastel.white("[#{i}/#{count}] - #{package} ") + @pastel.green.bold("No vulnerabilities found!\n")
|
38
|
+
response += _get_reverse_deps(reverse_deps, name)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
response
|
44
|
+
end
|
45
|
+
|
46
|
+
def do_print(results)
|
47
|
+
puts results
|
48
|
+
end
|
49
|
+
|
50
|
+
# Right now this looks at all Ruby deps, so it might find some in your Library, but that don't belong to your project
|
51
|
+
def _get_reverse_deps(coord, name)
|
52
|
+
response = String.new
|
53
|
+
coord.each do |dep|
|
54
|
+
dep.each do |gran|
|
55
|
+
if gran.class == String && !gran.include?(name)
|
56
|
+
response += "\tRequired by: #{gran}\n"
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
response
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require 'ox'
|
2
|
+
require_relative 'formatter'
|
3
|
+
module Chelsea
|
4
|
+
class XMLFormatter < Formatter
|
5
|
+
def initialize(options)
|
6
|
+
@options = options
|
7
|
+
end
|
8
|
+
|
9
|
+
def get_results(server_response, reverse_deps)
|
10
|
+
doc = Ox::Document.new
|
11
|
+
instruct = Ox::Instruct.new(:xml)
|
12
|
+
instruct[:version] = '1.0'
|
13
|
+
instruct[:encoding] = 'UTF-8'
|
14
|
+
instruct[:standalone] = 'yes'
|
15
|
+
doc << instruct
|
16
|
+
|
17
|
+
testsuite = Ox::Element.new('testsuite')
|
18
|
+
testsuite[:name] = "purl"
|
19
|
+
testsuite[:tests] = server_response.count()
|
20
|
+
doc << testsuite
|
21
|
+
|
22
|
+
server_response.each do |coord|
|
23
|
+
testcase = Ox::Element.new('testcase')
|
24
|
+
testcase[:classname] = coord["coordinates"]
|
25
|
+
testcase[:name] = coord["coordinates"]
|
26
|
+
|
27
|
+
if coord["vulnerabilities"].length() > 0
|
28
|
+
failure = Ox::Element.new('failure')
|
29
|
+
failure[:type] = "Vulnerable Dependency"
|
30
|
+
failure << get_vulnerability_block(coord["vulnerabilities"])
|
31
|
+
testcase << failure
|
32
|
+
end
|
33
|
+
|
34
|
+
testsuite << testcase
|
35
|
+
end
|
36
|
+
|
37
|
+
doc
|
38
|
+
end
|
39
|
+
|
40
|
+
def do_print(results)
|
41
|
+
puts Ox.dump(results)
|
42
|
+
end
|
43
|
+
|
44
|
+
def get_vulnerability_block(vulnerabilities)
|
45
|
+
vulnBlock = String.new
|
46
|
+
vulnerabilities.each do |vuln|
|
47
|
+
vulnBlock += "Vulnerability Title: #{vuln["title"]}\n"\
|
48
|
+
"ID: #{vuln["id"]}\n"\
|
49
|
+
"Description: #{vuln["description"]}\n"\
|
50
|
+
"CVSS Score: #{vuln["cvssScore"]}\n"\
|
51
|
+
"CVSS Vector: #{vuln["cvssVector"]}\n"\
|
52
|
+
"CVE: #{vuln["cve"]}\n"\
|
53
|
+
"Reference: #{vuln["reference"]}"\
|
54
|
+
"\n"
|
55
|
+
end
|
56
|
+
|
57
|
+
vulnBlock
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
data/lib/chelsea/gems.rb
CHANGED
@@ -4,273 +4,115 @@ require 'pastel'
|
|
4
4
|
require 'tty-spinner'
|
5
5
|
require 'bundler'
|
6
6
|
require 'bundler/lockfile_parser'
|
7
|
-
require_relative 'version'
|
8
7
|
require 'rubygems'
|
9
8
|
require 'rubygems/commands/dependency_command'
|
10
|
-
|
9
|
+
require_relative 'version'
|
10
|
+
require_relative 'formatters/factory'
|
11
|
+
require_relative 'deps'
|
12
|
+
|
11
13
|
|
12
14
|
module Chelsea
|
13
15
|
class Gems
|
14
|
-
def initialize(file, options)
|
15
|
-
@file = file
|
16
|
-
@options = options
|
17
|
-
@pastel = Pastel.new
|
18
|
-
@dependencies = Hash.new()
|
19
|
-
@dependencies_versions = Hash.new()
|
20
|
-
@coordinates = Hash.new()
|
21
|
-
@coordinates["coordinates"] = Array.new()
|
22
|
-
@server_response = Array.new()
|
23
|
-
@reverse_deps = Hash.new()
|
24
|
-
@store = PStore.new(get_db_store_location())
|
16
|
+
def initialize(file:, quiet: false, options: {})
|
17
|
+
@file, @quiet, @options = file, quiet, options
|
25
18
|
|
26
|
-
if not
|
27
|
-
|
19
|
+
if not _gemfile_lock_file_exists? or file.nil?
|
20
|
+
raise "Gemfile.lock not found, check --file path"
|
28
21
|
end
|
29
|
-
|
30
|
-
|
31
|
-
@
|
32
|
-
File.read(path)
|
33
|
-
)
|
34
|
-
end
|
35
|
-
|
36
|
-
def get_db_store_location()
|
37
|
-
initial_path = File.join("#{Dir.home}", ".ossindex")
|
38
|
-
Dir.mkdir(initial_path) unless File.exists? initial_path
|
39
|
-
path = File.join(initial_path, "chelsea.pstore")
|
22
|
+
@pastel = Pastel.new
|
23
|
+
@formatter = FormatterFactory.new.get_formatter(@options)
|
24
|
+
@deps = Chelsea::Deps.new({path: Pathname.new(@file)})
|
40
25
|
end
|
41
26
|
|
42
|
-
def execute(input: $stdin, output: $stdout)
|
43
|
-
|
44
|
-
if
|
45
|
-
|
27
|
+
def execute(input: $stdin, output: $stdout)
|
28
|
+
audit
|
29
|
+
if @deps.nil?
|
30
|
+
_print_err "No dependencies retrieved. Exiting."
|
46
31
|
return
|
47
32
|
end
|
48
|
-
|
49
|
-
|
50
|
-
n = get_vulns()
|
51
|
-
if n == 0
|
52
|
-
print_err "No vulnerability data retrieved from server. Exiting."
|
33
|
+
if !@deps.server_response.count
|
34
|
+
_print_err "No vulnerability data retrieved from server. Exiting."
|
53
35
|
return
|
54
36
|
end
|
55
|
-
|
37
|
+
@formatter.do_print(@formatter.get_results(@deps))
|
56
38
|
end
|
57
39
|
|
58
|
-
def
|
59
|
-
|
60
|
-
|
61
|
-
else
|
62
|
-
path = Pathname.new(@file)
|
63
|
-
return true
|
40
|
+
def audit
|
41
|
+
unless @quiet
|
42
|
+
spinner = _spin_msg "Parsing dependencies"
|
64
43
|
end
|
65
|
-
end
|
66
|
-
|
67
|
-
def get_dependencies()
|
68
|
-
format = "[#{@pastel.green(':spinner')}] " + @pastel.white("Parsing dependencies")
|
69
|
-
spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
|
70
|
-
spinner.auto_spin()
|
71
|
-
|
72
|
-
reverse = Gem::Commands::DependencyCommand.new
|
73
|
-
reverse.options[:reverse_dependencies] = true
|
74
|
-
@reverse_deps = reverse.reverse_dependencies(@lockfile.specs)
|
75
44
|
|
76
|
-
|
77
|
-
@
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
end
|
82
|
-
|
83
|
-
c = @dependencies.count()
|
84
|
-
spinner.success("...done. Parsed #{c} dependencies.")
|
85
|
-
c
|
86
|
-
end
|
87
|
-
|
88
|
-
def get_dependencies_versions()
|
89
|
-
format = "[#{@pastel.green(':spinner')}] " + @pastel.white("Parsing versions")
|
90
|
-
spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
|
91
|
-
spinner.auto_spin()
|
92
|
-
@dependencies.each do |p, r|
|
93
|
-
o = r[0]
|
94
|
-
v = r[1].to_s
|
95
|
-
if v.split('.').length == 1 then
|
96
|
-
v = v + ".0.0"
|
97
|
-
elsif v.split('.').length == 2 then
|
98
|
-
v = v + ".0"
|
45
|
+
begin
|
46
|
+
@deps.get_dependencies
|
47
|
+
rescue StandardError => e
|
48
|
+
unless @quiet
|
49
|
+
spinner.stop
|
99
50
|
end
|
100
|
-
|
51
|
+
_print_err "Parsing dependency line #{gem} failed."
|
101
52
|
end
|
102
|
-
c = @dependencies_versions.count()
|
103
|
-
spinner.success("...done.")
|
104
|
-
c
|
105
|
-
end
|
106
|
-
|
107
|
-
def get_coordinates()
|
108
|
-
@dependencies_versions.each do |p, v|
|
109
|
-
@coordinates["coordinates"] << "pkg:gem/#{p}@#{v}";
|
110
|
-
end
|
111
|
-
end
|
112
|
-
|
113
|
-
def get_vulns()
|
114
|
-
require 'json'
|
115
|
-
require 'rest-client'
|
116
|
-
format = "[#{@pastel.green(':spinner')}] " + @pastel.white("Making request to OSS Index server")
|
117
|
-
spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
|
118
|
-
spinner.auto_spin()
|
119
53
|
|
120
|
-
|
54
|
+
@deps.get_reverse_dependencies
|
121
55
|
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
{content_type: :json, accept: :json, 'User-Agent': get_user_agent()}
|
128
|
-
|
129
|
-
if r.code == 200
|
130
|
-
@server_response = @server_response.concat(JSON.parse(r.body))
|
131
|
-
save_values_to_db(JSON.parse(r.body))
|
132
|
-
spinner.success("...done.")
|
133
|
-
@server_response.count()
|
134
|
-
else
|
135
|
-
spinner.stop("...request failed.")
|
136
|
-
print_err "Error getting data from OSS Index server. Server returned non-success code #{r.code}."
|
137
|
-
0
|
138
|
-
end
|
139
|
-
end
|
140
|
-
else
|
56
|
+
unless @quiet
|
57
|
+
spinner = _spin_msg "Parsing Versions"
|
58
|
+
end
|
59
|
+
@deps.get_dependencies_versions_as_coordinates
|
60
|
+
unless @quiet
|
141
61
|
spinner.success("...done.")
|
142
|
-
@server_response.count()
|
143
62
|
end
|
144
|
-
rescue SocketError => e
|
145
|
-
spinner.stop("...request failed.")
|
146
|
-
print_err "Socket error getting data from OSS Index server."
|
147
|
-
0
|
148
|
-
rescue RestClient::RequestFailed => e
|
149
|
-
spinner.stop("Request failed.")
|
150
|
-
print_err "Error getting data from OSS Index server:#{e.response}."
|
151
|
-
0
|
152
|
-
rescue RestClient::ResourceNotfound => e
|
153
|
-
spinner.stop("...request failed.")
|
154
|
-
print_err "Error getting data from OSS Index server. Resource not found."
|
155
|
-
0
|
156
|
-
rescue Errno::ECONNREFUSED => e
|
157
|
-
spinner.stop("...request failed.")
|
158
|
-
print_err "Error getting data from OSS Index server. Connection refused."
|
159
|
-
0
|
160
|
-
rescue StandardError => e
|
161
|
-
spinner.stop("...request failed.")
|
162
|
-
print_err "UNKNOWN Error getting data from OSS Index server."
|
163
|
-
0
|
164
|
-
end
|
165
63
|
|
166
|
-
|
167
|
-
|
168
|
-
puts "Audit Results"
|
169
|
-
puts "============="
|
170
|
-
i = 0
|
171
|
-
count = @server_response.count()
|
172
|
-
@server_response.each do |r|
|
173
|
-
i += 1
|
174
|
-
package = r["coordinates"]
|
175
|
-
vulnerable = r["vulnerabilities"].length() > 0
|
176
|
-
coord = r["coordinates"].sub("pkg:gem/", "")
|
177
|
-
name = coord.split('@')[0]
|
178
|
-
version = coord.split('@')[1]
|
179
|
-
reverse_dep_coord = "#{name}-#{version}"
|
180
|
-
if vulnerable
|
181
|
-
puts @pastel.red("[#{i}/#{count}] - #{package} ") + @pastel.red.bold("Vulnerable.")
|
182
|
-
print_reverse_deps(@reverse_deps[reverse_dep_coord], name, version)
|
183
|
-
r["vulnerabilities"].each do |k, v|
|
184
|
-
puts @pastel.red.bold(" #{k}:#{v}")
|
185
|
-
end
|
186
|
-
else
|
187
|
-
puts(@pastel.white("[#{i}/#{count}] - #{package} ") + @pastel.green.bold("No vulnerabilities found!"))
|
188
|
-
print_reverse_deps(@reverse_deps[reverse_dep_coord], name, version)
|
189
|
-
end
|
64
|
+
unless @quiet
|
65
|
+
spinner = _spin_msg "Making request to OSS Index server"
|
190
66
|
end
|
191
|
-
end
|
192
67
|
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
|
68
|
+
begin
|
69
|
+
@deps.get_vulns
|
70
|
+
rescue SocketError => e
|
71
|
+
unless @quiet
|
72
|
+
spinner.stop("...request failed.")
|
73
|
+
end
|
74
|
+
_print_err "Socket error getting data from OSS Index server."
|
75
|
+
rescue RestClient::RequestFailed => e
|
76
|
+
unless @quiet
|
77
|
+
spinner.stop("...request failed.")
|
78
|
+
end
|
79
|
+
_print_err "Error getting data from OSS Index server:#{e.response}."
|
80
|
+
rescue RestClient::ResourceNotfound => e
|
81
|
+
unless @quiet
|
82
|
+
spinner.stop("...request failed.")
|
202
83
|
end
|
84
|
+
_print_err "Error getting data from OSS Index server. Resource not found."
|
85
|
+
rescue Errno::ECONNREFUSED => e
|
86
|
+
unless @quiet
|
87
|
+
spinner.stop("...request failed.")
|
88
|
+
end
|
89
|
+
_print_err "Error getting data from OSS Index server. Connection refused."
|
90
|
+
rescue StandardError => e
|
91
|
+
unless @quiet
|
92
|
+
spinner.stop("...request failed.")
|
93
|
+
end
|
94
|
+
_print_err "UNKNOWN Error getting data from OSS Index server."
|
203
95
|
end
|
204
96
|
end
|
205
97
|
|
206
|
-
|
207
|
-
|
208
|
-
|
209
|
-
|
98
|
+
protected
|
99
|
+
def _spin_msg(msg)
|
100
|
+
format = "[#{@pastel.green(':spinner')}] " + @pastel.white(msg)
|
101
|
+
spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
|
102
|
+
spinner.auto_spin()
|
103
|
+
spinner
|
210
104
|
end
|
211
105
|
|
212
|
-
def
|
106
|
+
def _print_err(s)
|
213
107
|
puts @pastel.red.bold(s)
|
214
108
|
end
|
215
109
|
|
216
|
-
def
|
110
|
+
def _print_success(s)
|
217
111
|
puts @pastel.green.bold(s)
|
218
112
|
end
|
219
113
|
|
220
|
-
|
221
|
-
|
222
|
-
def get_user_agent()
|
223
|
-
user_agent = "chelsea/#{Chelsea::VERSION}"
|
224
|
-
|
225
|
-
user_agent
|
226
|
-
end
|
227
|
-
|
228
|
-
# This method will take an array of values, and save them to a pstore database
|
229
|
-
# and as well set a TTL of Time.now to be checked later
|
230
|
-
def save_values_to_db(values)
|
231
|
-
values.each do |val|
|
232
|
-
if get_cached_value_from_db(val["coordinates"]).nil?
|
233
|
-
new_val = val.dup
|
234
|
-
new_val["ttl"] = Time.now
|
235
|
-
@store.transaction do
|
236
|
-
@store[new_val["coordinates"]] = new_val
|
237
|
-
end
|
238
|
-
end
|
239
|
-
end
|
240
|
-
end
|
241
|
-
|
242
|
-
# Checks pstore to see if a coordinate exists, and if it does also
|
243
|
-
# checks to see if it's ttl has expired. Returns nil unless a record
|
244
|
-
# is valid in the cache (ttl has not expired) and found
|
245
|
-
def get_cached_value_from_db(coordinate)
|
246
|
-
record = @store.transaction { @store[coordinate] }
|
247
|
-
if !record.nil?
|
248
|
-
diff = (Time.now - record['ttl']) / 3600
|
249
|
-
if diff > 12
|
250
|
-
return nil
|
251
|
-
else
|
252
|
-
return record
|
253
|
-
end
|
254
|
-
else
|
255
|
-
return nil
|
256
|
-
end
|
257
|
-
end
|
258
|
-
|
259
|
-
# Goes through the list of @coordinates and checks pstore for them, if it finds a valid coord
|
260
|
-
# it will add it to the server response. If it does not, it will append the coord to a new hash
|
261
|
-
# and eventually set @coordinates to the new hash, so we query OSS Index on only coords not in cache
|
262
|
-
def check_db_for_cached_values()
|
263
|
-
new_coords = Hash.new
|
264
|
-
new_coords["coordinates"] = Array.new
|
265
|
-
@coordinates["coordinates"].each do |coord|
|
266
|
-
record = get_cached_value_from_db(coord)
|
267
|
-
if !record.nil?
|
268
|
-
@server_response << record
|
269
|
-
else
|
270
|
-
new_coords["coordinates"].push(coord)
|
271
|
-
end
|
272
|
-
end
|
273
|
-
@coordinates = new_coords
|
114
|
+
def _gemfile_lock_file_exists?
|
115
|
+
::File.file? @file
|
274
116
|
end
|
275
117
|
end
|
276
|
-
end
|
118
|
+
end
|
data/lib/chelsea/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chelsea
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Allister Beharry
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-03
|
11
|
+
date: 2020-04-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: tty-font
|
@@ -44,14 +44,14 @@ dependencies:
|
|
44
44
|
requirements:
|
45
45
|
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: 4.8.
|
47
|
+
version: 4.8.1
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: 4.8.
|
54
|
+
version: 4.8.1
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: pastel
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -100,6 +100,20 @@ dependencies:
|
|
100
100
|
- - "<"
|
101
101
|
- !ruby/object:Gem::Version
|
102
102
|
version: '3'
|
103
|
+
- !ruby/object:Gem::Dependency
|
104
|
+
name: ox
|
105
|
+
requirement: !ruby/object:Gem::Requirement
|
106
|
+
requirements:
|
107
|
+
- - "~>"
|
108
|
+
- !ruby/object:Gem::Version
|
109
|
+
version: 2.13.2
|
110
|
+
type: :runtime
|
111
|
+
prerelease: false
|
112
|
+
version_requirements: !ruby/object:Gem::Requirement
|
113
|
+
requirements:
|
114
|
+
- - "~>"
|
115
|
+
- !ruby/object:Gem::Version
|
116
|
+
version: 2.13.2
|
103
117
|
- !ruby/object:Gem::Dependency
|
104
118
|
name: rake
|
105
119
|
requirement: !ruby/object:Gem::Requirement
|
@@ -142,6 +156,20 @@ dependencies:
|
|
142
156
|
- - "~>"
|
143
157
|
- !ruby/object:Gem::Version
|
144
158
|
version: 0.4.1
|
159
|
+
- !ruby/object:Gem::Dependency
|
160
|
+
name: webmock
|
161
|
+
requirement: !ruby/object:Gem::Requirement
|
162
|
+
requirements:
|
163
|
+
- - "~>"
|
164
|
+
- !ruby/object:Gem::Version
|
165
|
+
version: 3.8.3
|
166
|
+
type: :development
|
167
|
+
prerelease: false
|
168
|
+
version_requirements: !ruby/object:Gem::Requirement
|
169
|
+
requirements:
|
170
|
+
- - "~>"
|
171
|
+
- !ruby/object:Gem::Version
|
172
|
+
version: 3.8.3
|
145
173
|
description:
|
146
174
|
email:
|
147
175
|
- allister.beharry@gmail.com
|
@@ -171,6 +199,13 @@ files:
|
|
171
199
|
- chelsea.gemspec
|
172
200
|
- lib/chelsea.rb
|
173
201
|
- lib/chelsea/cli.rb
|
202
|
+
- lib/chelsea/dependency_exception.rb
|
203
|
+
- lib/chelsea/deps.rb
|
204
|
+
- lib/chelsea/formatters/factory.rb
|
205
|
+
- lib/chelsea/formatters/formatter.rb
|
206
|
+
- lib/chelsea/formatters/json.rb
|
207
|
+
- lib/chelsea/formatters/text.rb
|
208
|
+
- lib/chelsea/formatters/xml.rb
|
174
209
|
- lib/chelsea/gems.rb
|
175
210
|
- lib/chelsea/version.rb
|
176
211
|
homepage: https://github.com/sonatype-nexus-community/chelsea
|