dependency_spy 0.1.3

data/lib/dependency_spy.rb

@@ -0,0 +1,102 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+require 'net/http'
+require 'socket'
+require 'yaml'
+require 'bibliothecary'
+require 'semantic_range'
+require 'yavdb'
+require 'yavdb/constants'
+
+require_relative 'dependency_spy/dtos/dependency'
+require_relative 'dependency_spy/semver'
+
+module DependencySpy
+  class API
+
+    def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
+      unless File.exist?(database_path)
+        puts 'Could not find local vulnerability database, going to download the database.'
+        YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
+      end
+
+      path             = File.expand_path(path)
+      package_managers = find_platform(platform)
+      file_list        = if File.file?(path)
+                           path = File.dirname(path)
+                           [File.basename(path)]
+                         else
+                           cmd = `find #{path} -type f | grep -vE "#{Bibliothecary.ignored_files_regex}"`
+                           cmd.split("\n").sort
+                         end
+      manifests        = package_managers.map { |pm| pm.analyse(path, file_list) }.flatten.compact
+      manifests.map do |manifest|
+        package_manager   = manifest[:platform]
+        manifest_filename = manifest[:path]
+        manifest_kind     = manifest[:kind]
+
+        dependency_vulns = manifest[:dependencies].map do |dependency|
+          package_name = dependency[:name] || dependency['name']
+          version      = dependency[:requirement] || dependency['version']
+          type         = dependency[:type] || dependency['type']
+
+          package_vulns = vulns(manifest[:platform], package_name, database_path)
+
+          vulnerabilities = package_vulns.select do |vuln|
+            vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
+            unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
+            patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
+
+            vulnerable ||
+              (vuln.unaffected_versions&.any? && !unaffected) ||
+              (vuln.patched_versions&.any? && !patched)
+          end
+
+          Dependency.new(package_name, version, type, vulnerabilities.uniq)
+        end
+
+        Manifest.new(package_manager, manifest_filename, manifest_kind, dependency_vulns.uniq)
+      end
+    end
+
+    def self.update(vuln_repo_path = YAVDB::Constants::DEFAULT_YAVDB_PATH)
+      YAVDB::API.download_database(true, vuln_repo_path)
+    end
+
+    class << self
+
+      private
+
+      def vulns(package_manager, package_name, vuln_database_path)
+        YAVDB::API.list_vulnerabilities(package_manager, package_name, vuln_database_path)
+      end
+
+      def find_platform(platform)
+        if platform.nil?
+          Bibliothecary.package_managers
+        else
+          Bibliothecary::Parsers.constants
+            .select { |c| c.to_s.downcase.include?(platform) }
+            .map { |c| Bibliothecary::Parsers.const_get(c) }
+            .sort_by { |c| c.to_s.downcase }
+        end
+      end
+
+    end
+
+  end
+end

data/lib/dependency_spy/cli.rb

@@ -0,0 +1,71 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+require 'thor'
+require 'yavdb/constants'
+
+require_relative '../dependency_spy'
+require_relative 'formatters/text'
+require_relative 'formatters/json'
+require_relative 'formatters/yaml'
+require_relative 'outputs/stdout'
+require_relative 'outputs/file'
+
+module DependencySpy
+  class CLI < Thor
+
+    default_task :check
+    map '--version' => :version
+
+    FORMATTERS = [
+      DependencySpy::Formatters::Text,
+      DependencySpy::Formatters::Json,
+      DependencySpy::Formatters::Yaml
+    ]
+
+    class_option('verbose', :type => :boolean, :default => false)
+
+    desc('check', 'Check dependencies for known vulnerabilities')
+    method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
+    method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
+    method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
+    method_option('output-path', :aliases => :o, :type => :string)
+    method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
+
+    def check
+      manifests = API.check(options['path'], options['platform'], options['database-path'])
+
+      formatted_output =
+        FORMATTERS
+          .find { |f| f.name.split('::').last.downcase == options['formatter'] }
+          .format(manifests)
+
+      if options['output-path']
+        DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
+      else
+        DependencySpy::Outputs::StdOut.write(formatted_output)
+      end
+    end
+
+    method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
+    desc('update', 'Download or update database from the official yavdb repository.')
+
+    def update
+      API.update(options['vuln-db-path'])
+    end
+
+  end
+end

data/lib/dependency_spy/dtos/dependency.rb

@@ -0,0 +1,77 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+
+  class Manifest < Struct.new(
+    :platform, # [String]
+    :path, # [String]
+    :kind, # [String]
+    :dependencies # Array[Dependency]
+  )
+
+    def to_map
+      map = {}
+      members.each do |m|
+        next unless self[m] && (
+        (self[m].is_a?(String) && !self[m].empty?) ||
+          (self[m].is_a?(Array) && self[m].any?))
+
+        map[m.to_s] = self[m] if self[m]
+      end
+      map
+    end
+
+    def to_json(*attrs)
+      to_map.to_json(*attrs)
+    end
+
+    def to_yaml(*attrs)
+      to_map.to_yaml(*attrs)
+    end
+
+  end
+
+  class Dependency < Struct.new(
+    :name, # [String]
+    :version, # [String]
+    :type, # [String]
+    :vulnerabilities # Array[Advisory]
+  )
+
+    def to_map
+      map = {}
+      members.each do |m|
+        next unless self[m] && (
+        (self[m].is_a?(String) && !self[m].empty?) ||
+          (self[m].is_a?(Array) && self[m].any?))
+
+        map[m.to_s] = self[m] if self[m]
+      end
+      map
+    end
+
+    def to_json(*args)
+      to_map.to_json(*args)
+    end
+
+    def to_yaml(*args)
+      to_map.to_yaml(*args)
+    end
+
+  end
+
+end

data/lib/dependency_spy/formatters/json.rb

@@ -0,0 +1,40 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+  class Formatters
+    class Json
+
+      def self.format(manifests)
+        filtered_manifests = manifests.map do |manifest|
+          manifest[:dependencies] = manifest[:dependencies].map do |dependency|
+            next unless dependency[:vulnerabilities].any?
+
+            dependency[:vulnerabilities] = dependency[:vulnerabilities].map(&:to_map)
+            dependency
+          end.reject(&:nil?).map(&:to_map)
+          manifest
+        end
+
+        filtered_manifests
+          .reject { |m| m[:dependencies].nil? }
+          .map(&:to_map)
+          .map(&:to_json)
+      end
+
+    end
+  end
+end

data/lib/dependency_spy/formatters/text.rb

@@ -0,0 +1,53 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+  class Formatters
+    class Text
+
+      def self.format(manifests)
+        manifests_text = manifests.map do |manifest|
+          manifest_header = "#{manifest.platform}: #{manifest.kind} ~> #{manifest.path} "
+          manifest_body = manifest.dependencies.map do |package|
+            next unless package.vulnerabilities.any?
+
+            package_header = "    Vulnerable: #{package.name}/#{package.type}:#{package.version}"
+            package_body = package.vulnerabilities.map do |vuln|
+              first = "        Title: #{vuln.title}\n"
+              second = "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
+              third = "        Source: #{vuln.source_url}\n\n"
+
+              "#{first}#{second}#{third}"
+            end
+
+            "#{package_header}\n#{package_body.join("\n")}"
+          end
+
+          next unless manifest_body.any?
+
+          "#{manifest_header}\n#{manifest_body.reject(&:nil?).join("\n")}"
+        end
+
+        if manifests_text.any?
+          manifests_text.join("\n")
+        else
+          'No known vulnerabilities were found in your dependencies.'
+        end
+      end
+
+    end
+  end
+end

data/lib/dependency_spy/formatters/yaml.rb

@@ -0,0 +1,40 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+  class Formatters
+    class Yaml
+
+      def self.format(manifests)
+        filtered_manifests = manifests.map do |manifest|
+          manifest[:dependencies] = manifest[:dependencies].map do |dependency|
+            next unless dependency[:vulnerabilities].any?
+
+            dependency[:vulnerabilities] = dependency[:vulnerabilities].map(&:to_map)
+            dependency
+          end.reject(&:nil?).map(&:to_map)
+          manifest
+        end
+
+        filtered_manifests
+          .reject { |m| m[:dependencies].nil? }
+          .map(&:to_map)
+          .map(&:to_yaml)
+      end
+
+    end
+  end
+end

data/lib/dependency_spy/outputs/file.rb

@@ -0,0 +1,33 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+  class Outputs
+    class FileSystem
+
+      def self.write(path, output)
+        file           = File.expand_path(path)
+        path_directory = File.dirname(file)
+        FileUtils.mkdir_p(path_directory) unless File.exist?(path_directory)
+
+        File.open(file, 'wb') do |f|
+          f.puts(output)
+        end
+      end
+
+    end
+  end
+end

data/lib/dependency_spy/outputs/stdout.rb

@@ -0,0 +1,27 @@
+# dependency_spy - Finds known vulnerabilities in your dependencies
+# Copyright (C) 2017-2018 Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+module DependencySpy
+  class Outputs
+    class StdOut
+
+      def self.write(output)
+        puts output
+      end
+
+    end
+  end
+end