cocoapods-blacklist 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9cca51d9dd36eede866eab703e1db970e52025d1
+  data.tar.gz: 3c4e7fa8aa095c09495c1302fe095eeda24ee494
+SHA512:
+  metadata.gz: 64efab4771af409d8b4f8e4a8786662908fe883a78192bd7c7f6b0c873dcc1d57c315398c286ff3a7d6667df5d39d2c9510583017b3b2de864638f9657ec5495
+  data.tar.gz: 5d3ccae9c71785d81f53a6ba23572917c38546a69d9e058231c70c93cfce655ee87e53448f6c81c413f4f614454d0b814e785bf4545960bdbc33b7d3570e765b

data/.gitignore

@@ -0,0 +1,7 @@
+.DS_Store
+pkg
+.idea/
+*.gem
+.bundle
+vendor
+

data/.travis.yml

@@ -0,0 +1,21 @@
+# Sets Travis to run the Ruby specs on OS X machines to be as close as possible
+# to the user environment.
+#
+language: objective-c
+
+env:
+  - RVM_RUBY_VERSION=system
+  # - RVM_RUBY_VERSION=1.8.7-p358
+
+before_install:
+  - export LANG=en_US.UTF-8
+  - curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/cacert.pem
+  - source ~/.rvm/scripts/rvm
+  - if [[ $RVM_RUBY_VERSION != 'system' ]]; then rvm install $RVM_RUBY_VERSION; fi
+  - rvm use $RVM_RUBY_VERSION
+  - if [[ $RVM_RUBY_VERSION == 'system' ]]; then sudo gem install bundler --no-ri --no-rdoc; else gem install bundler --no-ri --no-rdoc; fi
+
+install:
+  - sudo bundle install --without=documentation
+
+script: bundle exec rake specs

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+## CHANGELOG
+
+# 0.1.0
+  - Public release (@dbgrandi 5/18/2015)
+
+# 0.0.2
+  - Show output for all failed pods (@dbgrandi 5/16/2015)
+
+# 0.0.1
+  - Added `check` command (@dbgrandi 4/27/2015)
+  

data/Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in cocoapods-blacklist.gemspec
+gemspec
+
+group :development do
+  gem 'cocoapods'
+  gem 'bacon'
+  gem 'webmock'
+end
+

data/Gemfile.lock

@@ -0,0 +1,76 @@
+PATH
+  remote: .
+  specs:
+    cocoapods-blacklist (0.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.3.8)
+    bacon (1.2.0)
+    claide (0.8.1)
+    cocoapods (0.36.4)
+      activesupport (>= 3.2.15)
+      claide (~> 0.8.1)
+      cocoapods-core (= 0.36.4)
+      cocoapods-downloader (~> 0.9.0)
+      cocoapods-plugins (~> 0.4.1)
+      cocoapods-trunk (~> 0.6.0)
+      cocoapods-try (~> 0.4.3)
+      colored (~> 1.2)
+      escape (~> 0.0.4)
+      molinillo (~> 0.2.1)
+      nap (~> 0.8)
+      open4 (~> 1.3)
+      xcodeproj (~> 0.23.1)
+    cocoapods-core (0.36.4)
+      activesupport (>= 3.2.15)
+      fuzzy_match (~> 2.0.4)
+      nap (~> 0.8.0)
+    cocoapods-downloader (0.9.0)
+    cocoapods-plugins (0.4.2)
+      nap
+    cocoapods-trunk (0.6.0)
+      nap (>= 0.8)
+      netrc (= 0.7.8)
+    cocoapods-try (0.4.3)
+    colored (1.2)
+    crack (0.4.2)
+      safe_yaml (~> 1.0.0)
+    escape (0.0.4)
+    fuzzy_match (2.0.4)
+    i18n (0.7.0)
+    json (1.8.2)
+    minitest (5.6.0)
+    molinillo (0.2.3)
+    nap (0.8.0)
+    netrc (0.7.8)
+    open4 (1.3.4)
+    rake (10.4.2)
+    safe_yaml (1.0.4)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    webmock (1.21.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+    xcodeproj (0.23.1)
+      activesupport (>= 3)
+      colored (~> 1.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bacon
+  bundler (~> 1.3)
+  cocoapods
+  cocoapods-blacklist!
+  rake
+  webmock

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Yahoo, Inc. All rights reserved.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,50 @@
+# cocoapods-blacklist
+
+[![Build Status](https://travis-ci.org/yahoo/cocoapods-blacklist.svg?branch=master)](https://travis-ci.org/yahoo/cocoapods-blacklist)
+
+A CocoaPods plugin used to check a project against a list of pods that you do not want included in your build. Security is the primary use, but keeping specific pods that have conflicting licenses is another possible use.
+
+We use this in our continuous integration builds. If a security issue is found with a pod, we can update our `blacklist.json` file and builds will start to fail immediately. Developers don't always read the email about a new vulnerability. They definitely notice when the build fails. :smile:
+
+## Installation
+
+    $ gem install cocoapods-blacklist
+
+## Usage
+
+    $ pod blacklist [LOCKFILE] --config=BLACKLIST_CONFIG
+
+The `LOCKFILE` is optional, and `./Podfile.lock` is assumed if one is not explicitly passed in.
+
+## Blacklist config file
+
+The blacklist config file is a JSON file that has an array of pods, each one containing a hash with:
+
+- name: the same string you would use to include a pod in a `Podfile`
+- versions: a version string (or array of version strings) used to match the version
+- reason: a string used to explain why a pod is blacklisted, will be printed out when a check fails
+
+```
+{
+  "pods":[
+    {
+      "name":"FooKit",
+      "reason":"FooKit 1.2.2 did not check passwords on Thursdays",
+      "versions":"1.2.2"
+    },
+    {
+      "name":"BananaKit",
+      "reason":"Vulnerable to code injection with malformed BQL queries",
+      "versions":[">=3.4.2", "<3.6.0"]
+    }
+  ]
+}
+```
+
+## Contributors
+
+- David Grandinetti ([@dbgrandi](https://twitter.com/dbgrandi))
+
+## License
+
+Code licensed under the MIT license. See [LICENSE](https://github.com/yahoo/cocoapods-blacklist/blob/master/LICENSE) file for terms.

data/Rakefile

@@ -0,0 +1,13 @@
+require 'bundler/gem_tasks'
+
+def specs(dir)
+  FileList["spec/#{dir}/*_spec.rb"].shuffle.join(' ')
+end
+
+desc 'Runs all the specs'
+task :specs do
+  sh "bundle exec bacon #{specs('**')}"
+end
+
+task :default => :specs
+

data/cocoapods-blacklist.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cocoapods-blacklist/gem_version.rb'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'cocoapods-blacklist'
+  spec.version       = CocoapodsBlacklist::VERSION
+  spec.authors       = ['David Grandinetti']
+  spec.email         = ['dbgrandi@yahoo-inc.com']
+  spec.description   = %q{A short description of cocoapods-blacklist.}
+  spec.summary       = %q{A longer description of cocoapods-blacklist.}
+  spec.homepage      = 'https://github.com/EXAMPLE/cocoapods-blacklist'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rake'
+end

data/lib/cocoapods-blacklist.rb

@@ -0,0 +1,5 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+require 'cocoapods-blacklist/gem_version'

data/lib/cocoapods-blacklist/command/blacklist.rb

@@ -0,0 +1,78 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+require 'json'
+require 'open-uri'
+
+module Pod
+  class Command
+    class Blacklist < Command
+      self.summary = 'Validate a project against a list of banned pods.'
+
+      self.description = <<-DESC
+        Validate a project against a list of banned pods. Requires a lockfile
+        and a config file (JSON).
+        
+        example:
+        $ pod blacklist --config blacklist.json
+      DESC
+
+      self.arguments = [
+        CLAide::Argument.new('LOCKFILE', false),
+      ]
+      
+      def self.options
+        [
+          ['--config=CONFIG', 'Config file or URL for the blacklist'],
+          ['--warn', 'Only warn about use of banned pods'],
+        ].concat(super)
+      end
+
+      def initialize(argv)
+        @blacklist = argv.option('config')
+        @warn = argv.flag?('warn') || false
+        @lockfile_name = argv.shift_argument || "./Podfile.lock"
+        super
+      end
+
+      def validate!
+        super
+        unless File.exists?(@lockfile_name)
+          help! 'A lockfile and blacklist file are needed.'
+        end
+      end
+
+      def run
+        lockfile = Pod::Lockfile.from_file(Pathname.new(@lockfile_name))
+        open(@blacklist) do |f|
+          @blacklist_file = JSON.parse(f.read)
+        end
+
+        warned = false
+        failed_pods = {}
+        
+        @blacklist_file['pods'].each do |pod|
+          name = pod['name']
+          if lockfile.pod_names.include? name
+            version = Pod::Version.new(lockfile.version(name))
+            if Pod::Requirement.create(pod['versions']).satisfied_by?(version)
+              UI.puts "[!] Validation error: Use of #{name} #{version} for reason: #{pod['reason']}".yellow
+              failed_pods[name] = version
+              warned = true
+            end
+          end
+        end
+        if !warned
+          UI.puts "#{@lockfile_name} passed blacklist validation".green
+        else
+          failed_pod_string = failed_pods.map { |name, version| "#{name} (#{version})"}.join(", ")
+          unless @warn
+            raise Informative.new("Failed blacklist validation due to use of #{failed_pod_string}")
+          end
+        end
+      end
+      
+    end
+  end
+end

data/lib/cocoapods-blacklist/gem_version.rb

@@ -0,0 +1,7 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+module CocoapodsBlacklist
+  VERSION = "0.1.0"
+end

data/lib/cocoapods_plugin.rb

@@ -0,0 +1,5 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+require 'cocoapods-blacklist/command/blacklist'

data/spec/command/blacklist_spec.rb

@@ -0,0 +1,95 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+require File.expand_path('../../spec_helper', __FILE__)
+
+GOOD_LOCKFILE = './spec/fixtures/GoodPodfile.lock'
+BAD_LOCKFILE = './spec/fixtures/BadPodfile.lock'
+DOUBLE_BAD_LOCKFILE = './spec/fixtures/DoubleBadPodfile.lock'
+BLACKLIST_FILE = './spec/fixtures/blacklist.json'
+BLACKLIST_URL = 'http://example.com/blacklist.json'
+
+NON_EXIST_FILE = './spec/fixtures/doesnotexist'
+
+module Pod
+  describe Command::Blacklist do
+    describe 'In general' do
+      it 'registers itself' do
+        Command.parse(%w{ blacklist }).should.be.instance_of Command::Blacklist
+      end
+      
+      it 'defaults to show help' do
+        lambda { run_command('blacklist') }.should.raise CLAide::Help
+      end
+    end
+    
+    it 'validates Podfile.lock exists if not passed in' do
+      command = Command.parse(['blacklist', "--config=#{BLACKLIST_FILE}"])
+      lambda { command.validate! }.should.raise CLAide::Help
+    end
+
+    it 'validates the lockfile exists if passed in' do
+      command = Command.parse(['blacklist', NON_EXIST_FILE, "--config=#{BLACKLIST_FILE}"])
+      lambda { command.validate! }.should.raise CLAide::Help
+    end
+
+    describe 'running with required args' do
+      it 'allows valid pods with a local blacklist file' do
+        command = Command.parse(['blacklist', GOOD_LOCKFILE, "--config=#{BLACKLIST_FILE}"])
+        lambda {
+          command.validate!
+          command.run
+        }.should.not.raise
+      end
+
+      it 'allows valid pods with a remote blacklist file' do
+        WebMock::API.stub_request(:get, "http://example.com/blacklist.json").
+          with(:headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(:status => 200, :body => File.read(BLACKLIST_FILE), :headers => {})
+        
+        command = Command.parse(['blacklist', GOOD_LOCKFILE, "--config=#{BLACKLIST_URL}"])
+        lambda {
+          command.validate!
+          command.run
+        }.should.not.raise
+        UI.output.should.include "passed blacklist validation"
+      end
+      
+      describe 'having blacklisted pods' do
+        it 'disallows a banned pod' do
+          command = Command.parse(['blacklist', BAD_LOCKFILE, "--config=#{BLACKLIST_FILE}"])
+          exception = lambda {
+            command.validate!
+            command.run
+          }.should.raise Informative
+          exception.message.should.include "Failed blacklist validation due to use of BananaKit"
+          UI.output.should.include "Vulnerable to code injection with malformed BQL queries"
+        end
+        
+        it 'prints all banned pods' do
+          command = Command.parse(['blacklist', DOUBLE_BAD_LOCKFILE, "--config=#{BLACKLIST_FILE}"])
+          exception = lambda {
+            command.validate!
+            command.run
+          }.should.raise Informative
+          exception.message.should.include "Failed blacklist validation due to use of"
+          exception.message.should.include "BananaKit (3.4.7)"
+          exception.message.should.include "FooKit (1.2.2)"
+          UI.output.should.include "FooKit 1.2.2 did not check passwords on Thursdays"
+          UI.output.should.include "Vulnerable to code injection with malformed BQL queries"
+        end
+        
+        it 'warns about banned pods when --warn is used' do
+          command = Command.parse(['blacklist', DOUBLE_BAD_LOCKFILE, "--config=#{BLACKLIST_FILE}", "--warn"])
+          exception = lambda {
+            command.validate!
+            command.run
+          }.should.not.raise
+          UI.output.should.include "FooKit 1.2.2 did not check passwords on Thursdays"
+          UI.output.should.include "Vulnerable to code injection with malformed BQL queries"
+        end
+      end
+    end
+  end
+end

data/spec/fixtures/BadPodfile.lock

@@ -0,0 +1,10 @@
+PODS:
+  - BananaKit (3.4.7)
+
+DEPENDENCIES:
+  - BananaKit (~>3.4.0)
+
+SPEC CHECKSUMS:
+  BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae
+
+COCOAPODS: 0.35.0

data/spec/fixtures/DoubleBadPodfile.lock

@@ -0,0 +1,13 @@
+PODS:
+  - BananaKit (3.4.7)
+  - FooKit (1.2.2)
+
+DEPENDENCIES:
+  - BananaKit (~>3.4.0)
+  - FooKit (~>1.2.0)
+
+SPEC CHECKSUMS:
+  BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae
+  FooKit: 21239286b026e43a49c2b70e255a74102cfd2f9f
+
+COCOAPODS: 0.35.0

data/spec/fixtures/GoodPodfile.lock

@@ -0,0 +1,10 @@
+PODS:
+  - BananaKit (3.6.2)
+
+DEPENDENCIES:
+  - BananaKit (~>3.6.0)
+
+SPEC CHECKSUMS:
+  BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae
+
+COCOAPODS: 0.35.0

data/spec/fixtures/blacklist.json

@@ -0,0 +1,14 @@
+{
+  "pods":[
+    {
+      "name":"FooKit",
+      "reason":"FooKit 1.2.2 did not check passwords on Thursdays",
+      "versions":"1.2.2"
+    },
+    {
+      "name":"BananaKit",
+      "reason":"Vulnerable to code injection with malformed BQL queries",
+      "versions": [">=3.4.2", "<3.6.0"]
+    }
+  ]
+}

data/spec/spec_helper.rb

@@ -0,0 +1,94 @@
+#  Created by David Grandinetti 4/27/2015
+#  Copyright (c) 2015 Yahoo, Inc.
+#  Licensed under the terms of the MIT License. See LICENSE file in the project root.
+
+require 'pathname'
+ROOT = Pathname.new(File.expand_path('../../', __FILE__))
+$:.unshift((ROOT + 'lib').to_s)
+$:.unshift((ROOT + 'spec').to_s)
+
+require 'bundler/setup'
+require 'bacon'
+require 'cocoapods'
+
+require 'webmock'
+WebMock.disable_net_connect!
+
+require 'cocoapods_plugin'
+
+#-----------------------------------------------------------------------------#
+
+module Pod
+
+  # Disable the wrapping so the output is deterministic in the tests.
+  #
+  UI.disable_wrap = true
+
+  # Redirects the messages to an internal store.
+  #
+  module UI
+    @output = ''
+    @warnings = ''
+
+    class << self
+      attr_accessor :output
+      attr_accessor :warnings
+
+      def puts(message = '')
+        @output << "#{message}\n"
+      end
+
+      def warn(message = '', actions = [])
+        @warnings << "#{message}\n"
+      end
+
+      def print(message)
+        @output << message
+      end
+    end
+  end
+end
+
+module SpecHelper
+  module Command
+    def argv(*argv)
+      CLAide::ARGV.new(argv)
+    end
+
+    def command(*argv)
+      argv << '--no-ansi'
+      Pod::Command.parse(argv)
+    end
+
+    def run_command(*args)
+      Pod::UI.output = ''
+      # @todo Remove this once all cocoapods has
+      # been converted to use the UI.puts
+      config_silent = config.silent?
+      config.silent = false
+      cmd = command(*args)
+      cmd.validate!
+      cmd.run
+      config.silent = config_silent
+      Pod::UI.output
+    end
+  end
+end
+
+Bacon.summary_at_exit
+
+module Bacon
+  class Context
+    include Pod::Config::Mixin
+    # include SpecHelper::Fixture
+    include SpecHelper::Command
+
+    # def skip_xcodebuild?
+    #   ENV['SKIP_XCODEBUILD']
+    # end
+
+    def temporary_directory
+      SpecHelper.temporary_directory
+    end
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: cocoapods-blacklist
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- David Grandinetti
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-05-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A short description of cocoapods-blacklist.
+email:
+- dbgrandi@yahoo-inc.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .travis.yml
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- cocoapods-blacklist.gemspec
+- lib/cocoapods-blacklist.rb
+- lib/cocoapods-blacklist/command/blacklist.rb
+- lib/cocoapods-blacklist/gem_version.rb
+- lib/cocoapods_plugin.rb
+- spec/command/blacklist_spec.rb
+- spec/fixtures/BadPodfile.lock
+- spec/fixtures/DoubleBadPodfile.lock
+- spec/fixtures/GoodPodfile.lock
+- spec/fixtures/blacklist.json
+- spec/spec_helper.rb
+homepage: https://github.com/EXAMPLE/cocoapods-blacklist
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: A longer description of cocoapods-blacklist.
+test_files:
+- spec/command/blacklist_spec.rb
+- spec/fixtures/BadPodfile.lock
+- spec/fixtures/DoubleBadPodfile.lock
+- spec/fixtures/GoodPodfile.lock
+- spec/fixtures/blacklist.json
+- spec/spec_helper.rb