denmark 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73d9e39f18a874e61b889ce6adae3f7793e40af5f0077aede656c47c02305c14
-  data.tar.gz: d3b7d990966b04a22a66fb44ccc53202bb2046eecbd5f696f0e7496e6b07be03
+  metadata.gz: f9f7e41d628d1cb52bd1af3055c8f34ada3edcc8092e2d1c779fd30a37dd72ad
+  data.tar.gz: 76829cb396c0115321efeccbe91c51adaf8f77cac48657b75399579c1c6e94ea
 SHA512:
-  metadata.gz: e7bfbddb66940d3433376f357ccd41f9fd34e5cb077a2b5274492f078636a4c5cc65d68740c397f384375dbfd072137a8cd80e2962009dfdf805c0a403384f2e
-  data.tar.gz: c90ba1f9cf0af6a71301cd0592e0ae3322cbf68c9d1630e4ff22ee9574252f8265f968a2d39b956b9c7754a396f75dfb86b1c2e84e231c3cc22769d45e5b0b1f
+  metadata.gz: f3ae368e8233da41ac9926f0163184ee5f580750245e8c7af82554efc21bf2a1593202a9d05163c3b1238ef0dcd1064cfe8be89be353faeb5d8e05742b5dd628
+  data.tar.gz: e320a6024a23c1c707627352b7f7ec4ded0bad2bbf397b5f2f2c65d83ea10ad31d8d92f6cb936f7d7d10998345cfa8fde5435f5d57c5a31f3c2352bd4bf80bf1

data/README.md

@@ -6,9 +6,12 @@
 I'm sure you've had the experience of evaluating modules on the Puppet Forge. Maybe
 you were comparing a handful that all claimed to meet your needs, or maybe you were
 just determining whether a specific module met your standards for deploying into
-your production environment.
+your production environment. With tools like `puppet-lint` and the PDK, it's fairly
+straightforward to evaluate code quality. But what about the health of the project
+itself? Is it actively maintained? Are Forge releases kept up to date? What are the
+chances that the latest release was compromised with a hidden bitcoin miner?
 
-How did you go about it? You probably
+How do you answer those sorts of questions? You probably
 
 * Skimmed the module's README for signs of the author's diligence.
 * Poked through the issue list and pull requests on the repository hosting the module

data/bin/denmark

@@ -6,8 +6,9 @@ require 'denmark/version'
 class Denmark
   extend GLI::App
 
-  program_desc 'A simple tool for checking Puppet Forge modules for maintenance smells'
-  version      Denmark::VERSION
+  program_desc   'A simple tool for checking Puppet Forge modules for maintenance smells'
+  version        Denmark::VERSION
+  wrap_help_text :verbatim
 
   pre do |global, command, options, args|
     Denmark.config = YAML.load_file("#{Dir.home}/.config/denmark.yaml") rescue {}
@@ -30,8 +31,18 @@ class Denmark
     end
   end
 
-  desc 'Smell test a module using all enabled tests'
-  command :smell do |c|
+  desc 'Smell test a module using all enabled tests.'
+  long_desc <<~DESC
+    Pass this command the name of a module, the path to a module or its
+    `metadata.json`, or simply execute it within the root directory of a module.
+
+    Examples:
+      $ denmark binford2k-node_encrypt
+      $ denmark /Users/ben/Projects/binford2k-node_encrypt
+      $ denmark /Users/ben/Projects/binford2k-node_encrypt/metadata.json
+      $ cd Projects/binford2k-node_encrypt && denmark
+  DESC
+  command [:smell,:check] do |c|
     c.desc 'Lists of tests to enable'
     c.flag [:enable, :e], :type => Array
 

data/lib/denmark/monkeypatches.rb

@@ -1,8 +1,11 @@
 # frozen_string_literal: true
+require 'paint'
+require 'paint/shortcuts'
 
 class Array
   def percent_of(digits = nil)
     raise "Select the items you want to count using a block that returns a boolean" unless block_given?
+    return 0 if self.empty?
 
     count = self.size
     match = 0
@@ -17,3 +20,11 @@ class Array
     end
   end
 end
+
+Paint::SHORTCUTS[:color] = {
+  :red    => Paint.color(:red),
+  :orange => Paint.color('orange', :bright),
+  :yellow => Paint.color(:yellow),
+  :green  => Paint.color(:green),
+}
+include Paint::Color::Prefix::ColorName

data/lib/denmark/plugins/metadata.rb

@@ -29,13 +29,21 @@ class Denmark::Plugins::Metadata
 
     if (Date.today - release_date) > 365
       response << {
-        severity: :yellow,
+        severity: :green,
         message: "The most current module release is more than a year old.",
-        explanation: "Sometimes when issues are not responded to, it means that the project is no longer being maintained. You might consider contacting the maintainer to determine the status of the project.",
+        explanation: "Sometimes a module not seeing regular updates is a sign that it's no longer being maintained. You might consider contacting the maintainer to determine the status of the project.",
+      }
+    end
+
+    if (Date.today - release_date) < 15
+      response << {
+        severity: :green,
+        message: "The latest module release is less than two weeks old.",
+        explanation: "Sometimes it's a good idea to let the early adopters shake out the bugs with a new release.",
       }
     end
 
-    if version != repo_metadata[:version]
+    if version != repo_metadata['version']
       response << {
         severity: :red,
         message: "The version released on the Forge does not match the version in the repository.",
@@ -51,7 +59,7 @@ class Denmark::Plugins::Metadata
       }
     end
 
-    if version != latest_tag
+    unless [version, "v#{version}"].include? latest_tag
       response << {
         severity: :yellow,
         message: "The version released on the Forge does not match the latest tag in the repo.",
@@ -71,7 +79,7 @@ class Denmark::Plugins::Metadata
       response << {
         severity: :green,
         message: "There was a gap of at least a year between the last two releases.",
-        explanation: "A large gap between releases often shows sporadic maintenance. This is not always bad.",
+        explanation: "A large gap between releases often shows sporadic maintenance. This doesn't necessarily indicate anything wrong, but attackers do sometimes target stagnant projects in the hope that they'll be undetected for a longer time period.",
       }
     end
 

data/lib/denmark/plugins/timeline.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+# environments plugin
+class Denmark::Plugins::Timeline
+  def self.description
+    # This is a Ruby squiggle heredoc; just a multi-line string with indentation removed
+    <<~DESCRIPTION
+      This smell test infers trends a module base on its timeline of issues and commits and whatnot.
+    DESCRIPTION
+  end
+  def self.setup
+    # run just before evaluating this plugin
+  end
+
+  def self.run(mod, repo)
+    # return an array of hashes representing any smells discovered
+    response = Array.new
+
+    unreleased  = repo.commits_since_tag.size
+    new_issues  = repo.issues_since_tag.size
+    taggers     = repo.committers(repo.tags)
+    last_tagger = taggers.shift
+
+    unsigned_commits = repo.commits.percent_of {|i| not repo.verified(i) }
+    unsigned_tags = repo.tags.percent_of {|i| not repo.verified(i) }
+
+    unless taggers.include? last_tagger
+      response << {
+        severity: :yellow,
+        message: "The last tag was pushed by #{last_tagger}, who has not tagged any other release.",
+        explanation: "This often indicates that a project has recently changed owners. Check to ensure you still know who's maintaining the project.",
+      }
+    end
+
+    unless repo.verified(repo.tags.first)
+      response << {
+        severity: :yellow,
+        message: "The last tag was not verified.",
+        explanation: "Many authors don't bother to sign their tags. This means you have no way to ensure who creates them.",
+      }
+    end
+
+    # this smell would be more accurate if we weighted more recent commits
+    if (25..75).include? unsigned_commits
+      response << {
+        severity: :green,
+        message: "#{unsigned_commits}% of the commits in this repo are not signed.",
+        explanation: "The repository is using signed commits, but some of the contributions are unverified.",
+      }
+    end
+
+    # this smell would be more accurate if we weighted more recent tags
+    if (15..85).include? unsigned_tags
+      response << {
+        severity: :green,
+        message: "#{unsigned_tags}% of the tags in this repo are not signed.",
+        explanation: "The repository is using signed tags, but a significant number are unverified.",
+      }
+    end
+
+    if unsigned_tags > 85 and not repo.verified(repo.tags.first)
+      response << {
+        severity: :red,
+        message: "Most tags in this repo are signed, but not the latest one.",
+        explanation: "At best, this means a sloppy release. But it could also mean a compromised release.",
+      }
+    end
+
+    if unreleased > 10
+      response << {
+        severity: :yellow,
+        message: "There are #{unreleased} commits since the last release.",
+        explanation: "Sometimes maintainers forget to make a release. Maybe you should remind them?",
+      }
+    end
+
+    if new_issues > 5
+      response << {
+        severity: :yellow,
+        message: "There have been #{new_issues} issues since the last tagged release.",
+        explanation: "Many issues on a release might indicate that there's a problem with it.",
+      }
+    end
+
+    response
+  end
+
+  def self.cleanup
+    # run just after evaluating this plugin
+  end
+end

data/lib/denmark/repository.rb

@@ -54,6 +54,45 @@ class Denmark::Repository
     end
   end
 
+  def issues_since_tag(tag = nil)
+    tag ||= tags[0]
+    case @flavor
+    when :github
+      issues_since(commit_date(tag.commit.sha))
+    when :gitlab
+      issues_since(tag.commit.created_at)
+    else
+      Array.new
+    end
+  end
+
+  def issues_since(date)
+    case @flavor
+    when :github
+      @client.issues(@repo, {:state => 'open', :since=> date}).reject {|i| i[:pull_request] }
+    when :gitlab
+      @client.issues(@repo, updated_after: date, scope: 'all')
+    else
+      Array.new
+    end
+  end
+
+  def committers(list)
+    list = Array(list)
+    case @flavor
+    when :github
+      list.reduce(Array.new) do |acc, item|
+        acc << (item.author&.login || commit(item.commit.sha).author.login)
+      end
+    when :gitlab
+      list.reduce(Array.new) do |acc, item|
+        acc << item.commit.author_name
+      end
+    else
+      Array.new
+    end
+  end
+
   def tags
     case @flavor
     when :github, :gitlab
@@ -74,6 +113,22 @@ class Denmark::Repository
     end
   end
 
+  def verified(item)
+    case @flavor
+    when :github
+      if item.commit.verification.nil?
+        commit(item.commit.sha).commit.verification.verified
+      else
+        item.commit.verification&.verified
+      end
+    when :gitlab
+      commit(tag.commit.id).verification.verification_status == 'verified'
+    else
+      false
+    end
+
+  end
+
   def commit(sha)
     case @flavor
     when :github, :gitlab
@@ -99,10 +154,8 @@ class Denmark::Repository
     when :gitlab
       @client.commit(@repo, sha).commit.created_at.to_date
     else
-      Array.new
+      nil
     end
-
-
   end
 
   def commits_since_tag(tag = nil)
@@ -110,7 +163,7 @@ class Denmark::Repository
 
     case @flavor
     when :github
-      @client.commits_since(@repo, tag.commit.committer.date)
+      @client.commits_since(@repo, commit_date(tag.commit.sha))
     when :gitlab
       @client.commits(@repo, since: tag.commit.created_at)
     else

data/lib/denmark/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class Denmark
-  VERSION = '0.0.2'
+  VERSION = '0.0.3'
 end

data/lib/denmark.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'json'
-require 'colorize'
 require 'httpclient'
 require 'puppet_forge'
 require 'denmark/plugins'
@@ -31,7 +30,8 @@ class Denmark
 
   def self.evaluate(slug, options)
     @options = options
-    slug.sub!('/', '-')
+    slug = resolve_slug(slug)
+
     begin
       mod = PuppetForge::Module.find(slug)
     rescue Faraday::BadRequestError, Faraday::ResourceNotFound
@@ -51,6 +51,23 @@ class Denmark
     end
   end
 
+  def self.resolve_slug(path)
+    begin
+      if path.nil?
+        path = JSON.parse(File.read('metadata.json'))['name']
+      elsif File.directory?(path)
+        path = JSON.parse(File.read("#{path}/metadata.json"))['name']
+      elsif path.end_with?('metadata.json')
+        path = JSON.parse(File.read(path))['name']
+      end
+    rescue Errno::ENOENT => e
+      raise "Cannot load metadata from '#{path}'. Pass this tool the name of a module, or the local path to a module."
+    end
+
+    # if we get this far, assume it's the name of a module and normalize it
+    path.sub('/', '-')
+  end
+
   def self.generate_report(data)
     if data.empty?
       puts "Congrats, no smells discovered"
@@ -60,7 +77,7 @@ class Denmark
         alerts = data.select {|i| i[:severity] == severity}
         next unless alerts.size > 0
 
-        puts "[#{severity.upcase}] alerts:".colorize(severity)
+        puts "[#{severity.upcase}] alerts:".color_name(severity)
         alerts.each do |alert|
           puts "  #{alert[:message]}"
           puts "    > #{alert[:explanation]}" if @options[:detail]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: denmark
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Ben Ford
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-02 00:00:00.000000000 Z
+date: 2022-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -123,19 +123,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
-  name: colorize
+  name: paint
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: paint-shortcuts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: |
   Denmark will check a Puppet module for things you should be concerned about, like signs of an
   unmaintained module. It uses the Puppet Forge API and GitHub/GitLab APIs to discover information
@@ -155,6 +169,7 @@ files:
 - lib/denmark/plugins/issues.rb
 - lib/denmark/plugins/metadata.rb
 - lib/denmark/plugins/pull_requests.rb
+- lib/denmark/plugins/timeline.rb
 - lib/denmark/repository.rb
 - lib/denmark/version.rb
 homepage: https://github.com/binford2k/denmark