dependency-timeline-audit 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d4fb437a64c2b990372ff5137b6deb79d5405f5522e81b02830108cc43596155
-  data.tar.gz: 9edf8bfe737bb3991802e93c01d272aa786b4bd1dd8a6733c6de17099175b013
+  metadata.gz: 3ac86eaf5319d8a10dc42fd001c0f32a15a5421bd861ce24faf2b4bcb462493d
+  data.tar.gz: 9a67aac946d8265cb908d521ed90f2de25fe245bb0f141766faae266e4fb678d
 SHA512:
-  metadata.gz: 9e19239773413b37e23d54c21dd22cbbc65f65102f778d5437676da683fb76a202bf197f7b01e6ce874f8ce6761e53ccd7d9e2d9985a4096d46e9a86ae63e769
-  data.tar.gz: e52bc4921722fc2be009aed94f7009917d4034ccc48c4f130c4fac5651af46e482d58765fd0171c87ecdd2abb2431d479926de3be4b6dc9d8c08684cabf37374
+  metadata.gz: af4097c658cefeb2853b4fe6d4e1f517a976a7d6bde91eaf69660cd9da95f80f0cf392f3986b7298dafbaa34259b526f501c5170d481dcf2e0be84d306a68853
+  data.tar.gz: 70a6bbfd8e7c40c39c427133d8e528a00fc54d10bdb68784aadac12a3ad60b1fc1c34aca1fe73d4e88b9fe852282b50f3a527aeca69be8498bff84c6926c78ac

data/bin/dependency-timeline-audit

@@ -13,6 +13,7 @@ begin
     opts.on('-i', '--interactive-ignore', 'Allows interactively generating an ignore file')
     opts.on('-v', '--verbose', 'Provides more verbose output')
     opts.on('--lockfile=LOCKFILE', 'Allows overwriting where the lockfile is located (default: "Gemfile.lock")')
+    opts.on('--no-lockfile', "Don't use a lockfile")
     opts.on('--outdated-threshold=YEARS', Integer, 'Allows overwriting the number of years before a gem is considered outdated (default: 1)')
     opts.on_tail('-h', '--help', 'Prints this help') do
       puts opts
@@ -28,7 +29,6 @@ rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e
   exit(1)
 end
 
-DependencyTimelineAudit::Check.check(
-  lockfile: options[:lockfile],
-  verbose: options[:verbose]
-)
+config = DependencyTimelineAudit::Config.new(options)
+checker = DependencyTimelineAudit::Check.new(config: config)
+checker.check

data/lib/dependency-timeline-audit/api.rb

@@ -0,0 +1,57 @@
+require 'net/http'
+require 'json'
+
+module DependencyTimelineAudit
+  class API
+    API_URL = 'https://rubygems.org/api/v1/versions/'
+    CACHE_DIRECTORY = "#{Dir.pwd}/.dependency-timeline-audit/cache/ruby/"
+    EXCEPTIONS_DIRECTORY = "#{Dir.pwd}/.dependency-timeline-audit/exceptions/ruby/"
+    @@gem_cache = {}
+
+    def self.fetch_gem_info(gem_name)
+      if !cached?(gem_name) || cache_outdated?(gem_name)
+        update_cache(gem_name)
+      end
+
+      gem_cache(gem_name)
+    end
+
+    def self.cached?(gem_name)
+      File.exist?(gem_cache_file(gem_name))
+    end
+
+    # TODO: Implement cache_outdated? method using config.cache_expires_after
+    def self.cache_outdated?(gem_name)
+      false
+    end
+
+    def self.gem_cache_file(gem_name)
+      File.join(CACHE_DIRECTORY, "#{gem_name}.json")
+    end
+
+    def self.update_cache(gem_name)
+      response = rubygems_api_response(gem_name)
+      gem_cache = GemCache.new(JSON.parse(response))
+
+      FileUtils.mkdir_p(CACHE_DIRECTORY) unless File.directory?(CACHE_DIRECTORY)
+      File.open(gem_cache_file(gem_name), 'w') do |file|
+        file.write(JSON.pretty_generate(gem_cache.to_h))
+      end
+
+      gem_cache(gem_name)
+    end
+
+    def self.rubygems_api_response(gem_name)
+      url = URI("#{API_URL}#{gem_name}.json")
+      Net::HTTP.get(url)
+    end
+
+    def self.gem_cache(gem_name)
+      if @@gem_cache[gem_name].nil? && cached?(gem_name)
+        @@gem_cache[gem_name] = GemCache.new(JSON.parse(File.read(gem_cache_file(gem_name))))
+      end
+
+      @@gem_cache[gem_name]
+    end
+  end
+end

data/lib/dependency-timeline-audit/check.rb

@@ -1,32 +1,29 @@
 require 'date'
-require 'active_support/all'
 
 module DependencyTimelineAudit
   class Check
-    # TODO: activesupport is kinda hefty for just grabbing 1.year.ago, remove
-    def self.outdated_threshold
-      1.year.ago
+    attr_reader :config
+
+    def initialize(config:)
+      @config = config
     end
 
-    def self.check(lockfile: 'Gemfile.lock', verbose: true)
+    def check
       outdated_versions = []
       locked_gems.each do |gem|
-        lock_released_at = GemInfo.version_created_at(gem[:name], gem[:locked_version])
-        latest_version = GemInfo.latest_version(gem[:name])
-        outdated_versions.push(gem[:name]) if gem_outdated?(lock_released_at)
-        print_info(gem, lock_released_at, latest_version) if verbose
+        outdated_versions.push(gem) if gem.locked_version.outdated?
+        gem.print_info if config.verbose
       end
 
-      print "\n" if verbose
+      print "\n" if config.verbose
 
       if outdated_versions.any?
-        set_text_color_red
+        TextFormat.color = :red
         puts "Outdated gems detected!"
         puts " - #{outdated_versions.join(', ')}"
 
         exit(1) # Failure
       else
-        reset_text_style
         puts "All gems are within the accepted threshold!"
 
         exit(0) # Success
@@ -35,61 +32,15 @@ module DependencyTimelineAudit
 
     private
 
-    def self.gem_outdated?(released_at)
-      released_at <= outdated_threshold
-    end
-
-    def self.print_info(gem, lock_released_at, latest_version)
-      puts "Gem: \e[1m#{gem[:name]}\e[0m"
-      set_text_color(lock_released_at, gem[:locked_version] == latest_version[:version])
-      puts "  - Locked to: #{gem[:locked_version]} (Released: #{format_date(lock_released_at)})"
-      set_text_color(latest_version[:created_at])
-      puts "  - Latest: #{latest_version[:version]} (Released: #{format_date(latest_version[:created_at])})"
-      reset_text_style
-    end
-
-    def self.set_text_color(released_at, using_latest = true)
-      if gem_outdated?(released_at)
-        set_text_color_red
-      else
-        if using_latest
-          set_text_color_green
+    def locked_gems
+      lockfile_parser = Bundler::LockfileParser.new(File.read(config.lockfile))
+      lockfile_parser.specs.map do |spec|
+        if spec.source.is_a?(Bundler::Source::Git)
+          Gem.new(config: config, name: spec.name, locked_version: spec.source.revision)
         else
-          set_text_color_yellow
+          Gem.new(config: config, name: spec.name, locked_version: spec.version)
         end
       end
     end
-
-    def self.set_text_bold
-      print "\e[1m"
-    end
-
-    def self.set_text_color_red
-      print "\e[31m"
-    end
-
-    def self.set_text_color_green
-      print "\e[32m"
-    end
-
-    def self.set_text_color_yellow
-      print "\e[33m"
-    end
-
-    def self.reset_text_style
-      print "\e[0m"
-    end
-
-    def self.locked_gems
-      lockfile = Bundler::LockfileParser.new(File.read('Gemfile.lock'))
-      lockfile.specs.map do |gem|
-        { name: gem.name, locked_version: gem.version.to_s }
-      end
-    end
-
-    def self.format_date(date_string)
-      date = Date.parse(date_string)
-      date.strftime("%Y-%m-%d")
-    end
   end
 end

data/lib/dependency-timeline-audit/config.rb

@@ -0,0 +1,27 @@
+require 'active_support/all'
+
+module DependencyTimelineAudit
+  class Config
+    attr_reader :verbose, :lockfile, :outdated_threshold
+
+    def initialize(options)
+      @verbose = value_or_default(options[:verbose], false)
+      @lockfile = value_or_default(options[:lockfile], 'Gemfile.lock')
+      @outdated_threshold = value_or_default(options[:outdated_threshold], 3)
+
+      # FIXME: There is probably a better way to handle the guard clauses and type casting
+      if @outdated_threshold.to_i <= 0
+        raise InvalidOption, "Outdated Threshold must be an integer greater than 0"
+      end
+
+      # TODO: activesupport is kinda hefty for just grabbing X.years.ago, remove
+      @outdated_threshold = @outdated_threshold.to_i.years.ago
+    end
+
+    private
+
+    def value_or_default(value, default)
+      !value.nil? ? value : default
+    end
+  end
+end

data/lib/dependency-timeline-audit/gem.rb

@@ -0,0 +1,37 @@
+module DependencyTimelineAudit
+  class Gem
+    attr_reader :name, :locked_version, :latest_version, :config
+
+    def initialize(config:, name:, locked_version:)
+      @config = config
+      @name = name
+      @locked_version = GemVersion.new(gem: self, name: locked_version)
+      @latest_version = GemVersion.new(gem: self, name: api.latest_version)
+    end
+
+    def to_s
+      name.to_s
+    end
+
+    def print_info
+      puts "Gem: #{TextFormat.bold}#{name}#{TextFormat.reset}"
+      TextFormat.color = locked_version.color
+      puts "  - Locked to: #{locked_version.name} (Released: #{format_date(locked_version.released_at)})"
+      TextFormat.color = latest_version.color
+      puts "  - Latest: #{latest_version.name} (Released: #{format_date(latest_version.released_at)})"
+      TextFormat.reset!
+    end
+
+    private
+
+    def api
+      API.fetch_gem_info(name)
+    end
+
+    def format_date(date_string)
+      return 'Unknown' if date_string.nil?
+      date = Date.parse(date_string)
+      date.strftime("%Y-%m-%d")
+    end
+  end
+end

data/lib/dependency-timeline-audit/gem_cache.rb

@@ -0,0 +1,24 @@
+module DependencyTimelineAudit
+  class GemCache
+    attr_reader :versions
+
+    def initialize(gem_info)
+      @versions = gem_info || []
+    end
+
+    def latest_version
+      latest = versions.first # The first entry is the latest version
+      version_number = latest['number']
+    end
+
+    # Find the version that matches the requested version string
+    def version(version_number)
+      version_info = versions.find { |v| v['number'] == version_number }
+      GemVersionCache.new(version_info)
+    end
+
+    def to_h
+      versions
+    end
+  end
+end

data/lib/dependency-timeline-audit/gem_version.rb

@@ -0,0 +1,47 @@
+module DependencyTimelineAudit
+  class GemVersion
+    attr_reader :gem, :config, :name
+
+    def initialize(gem:, name:)
+      @gem = gem
+      @config = gem.config
+      @name = name.to_s
+    end
+
+    def ==(other)
+      return name == other.name if other.is_a?(GemVersion)
+
+      nil
+    end
+
+    def to_s
+      name.to_s
+    end
+
+    # If release date is unknown, leave it as not outdated
+    def outdated?
+      return false if released_at.nil?
+      released_at <= config.outdated_threshold
+    end
+
+    def latest?
+      gem.latest_version == self
+    end
+
+    def color
+      return :red if outdated?
+      return :green if latest?
+      :yellow
+    end
+
+    def released_at
+      api.released_at
+    end
+
+    private
+
+    def api
+      API.fetch_gem_info(gem.name).version(name)
+    end
+  end
+end

data/lib/dependency-timeline-audit/gem_version_cache.rb

@@ -0,0 +1,11 @@
+module DependencyTimelineAudit
+  class GemVersionCache
+    def initialize(version_info)
+      @version_info = version_info || {}
+    end
+
+    def released_at
+      @version_info['created_at']
+    end
+  end
+end

data/lib/dependency-timeline-audit/text_format.rb

@@ -0,0 +1,51 @@
+module DependencyTimelineAudit
+  class TextFormat
+    class << self
+      def color=(color)
+        case color
+        when :red
+          print red
+        when :green
+          print green
+        when :yellow
+          print yellow
+        else
+          raise ArgumentError, "Unknown color: #{color}"
+        end
+      end
+
+      def style=(style)
+        case style
+        when :bold
+          print bold
+        else
+          raise ArgumentError, "Unknown style: #{style}"
+        end
+      end
+
+      def reset!
+        print reset
+      end
+
+      def reset
+        "\e[0m"
+      end
+
+      def bold
+        "\e[1m"
+      end
+
+      def red
+        "\e[31m"
+      end
+
+      def green
+        "\e[32m"
+      end
+
+      def yellow
+        "\e[33m"
+      end
+    end
+  end
+end

data/lib/dependency-timeline-audit/version.rb

@@ -2,7 +2,7 @@ module DependencyTimelineAudit
   module VERSION
     MAJOR = 0
     MINOR = 0
-    PATCH = 2
+    PATCH = 3
 
     STRING = [MAJOR, MINOR, PATCH].join('.')
   end

data/lib/dependency-timeline-audit.rb

@@ -1,9 +1,15 @@
 module DependencyTimelineAudit
-  autoload :Check, 'dependency-timeline-audit/check'
-  autoload :GemInfo, 'dependency-timeline-audit/gem_info'
-  autoload :VERSION, 'dependency-timeline-audit/version'
+  autoload :API,             'dependency-timeline-audit/api'
+  autoload :Check,           'dependency-timeline-audit/check'
+  autoload :Config,          'dependency-timeline-audit/config'
+  autoload :GemCache,        'dependency-timeline-audit/gem_cache'
+  autoload :GemVersionCache, 'dependency-timeline-audit/gem_version_cache'
+  autoload :GemVersion,      'dependency-timeline-audit/gem_version'
+  autoload :Gem,             'dependency-timeline-audit/gem'
+  autoload :TextFormat,      'dependency-timeline-audit/text_format'
+  autoload :VERSION,         'dependency-timeline-audit/version'
 
   def self.gem_version
-    Gem::Version.new VERSION::STRING
+    ::Gem::Version.new VERSION::STRING
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependency-timeline-audit
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Josh Buker
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-09-26 00:00:00.000000000 Z
+date: 2024-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -47,8 +47,14 @@ extra_rdoc_files: []
 files:
 - bin/dependency-timeline-audit
 - lib/dependency-timeline-audit.rb
+- lib/dependency-timeline-audit/api.rb
 - lib/dependency-timeline-audit/check.rb
-- lib/dependency-timeline-audit/gem_info.rb
+- lib/dependency-timeline-audit/config.rb
+- lib/dependency-timeline-audit/gem.rb
+- lib/dependency-timeline-audit/gem_cache.rb
+- lib/dependency-timeline-audit/gem_version.rb
+- lib/dependency-timeline-audit/gem_version_cache.rb
+- lib/dependency-timeline-audit/text_format.rb
 - lib/dependency-timeline-audit/version.rb
 homepage: https://github.com/CloudSecurityAlliance/Dependency-Timeline-Audit
 licenses:

data/lib/dependency-timeline-audit/gem_info.rb

@@ -1,41 +0,0 @@
-require 'net/http'
-require 'json'
-
-module DependencyTimelineAudit
-  # Define a class for interacting with the RubyGems API
-  class GemInfo
-    API_URL = 'https://rubygems.org/api/v1/versions/'
-    @@gem_cache = {}
-
-    # Method to fetch the gem data and cache it
-    def self.fetch_gem_data(gem_name)
-      # Check if gem info is already cached
-      unless @@gem_cache[gem_name]
-        url = URI("#{API_URL}#{gem_name}.json")
-        response = Net::HTTP.get(url)
-        @@gem_cache[gem_name] = JSON.parse(response)
-      end
-
-      # Return cached gem info
-      @@gem_cache[gem_name]
-    end
-
-    # Method to fetch the latest version and its created_at timestamp
-    def self.latest_version(gem_name)
-      versions = fetch_gem_data(gem_name)
-      latest = versions.first # The first entry is the latest version
-      version_number = latest['number']
-      created_at = latest['created_at']
-      { version: version_number, created_at: created_at }
-    end
-
-    # Method to fetch the created_at timestamp for a specific version
-    def self.version_created_at(gem_name, version)
-      versions = fetch_gem_data(gem_name)
-      # Find the version that matches the requested version string
-      version_info = versions.find { |v| v['number'] == version }
-
-      version_info.present? ? version_info['created_at'] : nil
-    end
-  end
-end