dependency_spy 0.1.4 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +4 -0
- data/Gemfile.lock +3 -3
- data/README.md +5 -5
- data/dependency_spy.gemspec +1 -1
- data/lib/dependency_spy.rb +9 -5
- data/lib/dependency_spy/cli.rb +7 -1
- data/lib/dependency_spy/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f49de1317ff3ca8c8aec33d988ec30d8b3e0af81
|
4
|
+
data.tar.gz: 520b51be4d74d30e991bfc5de3217fe3d701bc7d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f55af66046ca23171e7eeca25a8e18f35eae07fa73e27e1623209f6017c6801d590d3f4a992fcf0622d27256cb4766b32168e57229699c2c97e3cd1b37dee853
|
7
|
+
data.tar.gz: 774dcfcfc185696fb6ac454c649be5207812d04ea4f8c533846846254834a3f6e05f7eb5e8e5c03bb5b4669aee3d9ec527623f717b61cee390e3ee4186a8148b
|
data/.circleci/config.yml
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.2.0)
|
5
5
|
bibliothecary (~> 6.3)
|
6
6
|
semantic_range (~> 2.1)
|
7
7
|
thor (~> 0.20)
|
8
|
-
yavdb (~> 0.
|
8
|
+
yavdb (~> 0.2)
|
9
9
|
|
10
10
|
GEM
|
11
11
|
remote: https://rubygems.org/
|
@@ -89,7 +89,7 @@ GEM
|
|
89
89
|
typhoeus (1.3.0)
|
90
90
|
ethon (>= 0.9.0)
|
91
91
|
unicode-display_width (1.4.0)
|
92
|
-
yavdb (0.
|
92
|
+
yavdb (0.2.0)
|
93
93
|
json (~> 2.1)
|
94
94
|
kramdown (~> 1.17)
|
95
95
|
oga (~> 2.15)
|
data/README.md
CHANGED
@@ -4,11 +4,11 @@
|
|
4
4
|
[![Codacy Badge](https://api.codacy.com/project/badge/Coverage/5ae8d9aa788e4855965974f480a0b91b)](https://www.codacy.com/app/rtfpessoa/dependency_spy?utm_source=github.com&utm_medium=referral&utm_content=rtfpessoa/dependency_spy&utm_campaign=Badge_Coverage)
|
5
5
|
[![CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy.svg?style=svg)](https://circleci.com/gh/rtfpessoa/dependency_spy)
|
6
6
|
|
7
|
-
Finds known vulnerabilities in your dependencies
|
7
|
+
Finds known vulnerabilities in your dependencies using [yavdb](https://github.com/rtfpessoa/yavdb) as the source agregator of vulnerabilities.
|
8
8
|
|
9
9
|
Thanks to the amazing work done by [libraries.io](https://libraries.io/) all the dependency manifest parsing is
|
10
10
|
handled by [bibliothecary](https://github.com/librariesio/bibliothecary) and this means we have support for more than 20
|
11
|
-
package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed
|
11
|
+
package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in [yavdb](https://github.com/rtfpessoa/yavdb#yet-another-vulnerability-database).
|
12
12
|
|
13
13
|
## Disclaimer
|
14
14
|
|
@@ -30,15 +30,14 @@ Use as a complement to other tools at your own risk.
|
|
30
30
|
## Prerequisites
|
31
31
|
|
32
32
|
* Ruby 2.3 or newer
|
33
|
+
* Bundler `gem install bundler`
|
33
34
|
|
34
35
|
## Installation
|
35
36
|
|
36
37
|
```sh
|
37
|
-
gem install dependency_spy
|
38
|
+
gem install dependency_spy
|
38
39
|
```
|
39
40
|
|
40
|
-
> Notice the `--pre` in the end
|
41
|
-
|
42
41
|
## Usage
|
43
42
|
|
44
43
|
### Examples
|
@@ -56,6 +55,7 @@ depspy
|
|
56
55
|
|
57
56
|
#### Features/Improvements
|
58
57
|
|
58
|
+
- [ ] Ignore vulnerabilities
|
59
59
|
- [ ] Improve output formatters
|
60
60
|
- [ ] Add more output options
|
61
61
|
|
data/dependency_spy.gemspec
CHANGED
@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
|
|
38
38
|
spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
|
39
39
|
spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
|
40
40
|
spec.add_runtime_dependency 'thor', ['~> 0.20']
|
41
|
-
spec.add_runtime_dependency 'yavdb', ['~> 0.
|
41
|
+
spec.add_runtime_dependency 'yavdb', ['~> 0.2']
|
42
42
|
end
|
data/lib/dependency_spy.rb
CHANGED
@@ -28,7 +28,7 @@ require_relative 'dependency_spy/semver'
|
|
28
28
|
module DependencySpy
|
29
29
|
class API
|
30
30
|
|
31
|
-
def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
31
|
+
def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
32
32
|
unless File.exist?(database_path)
|
33
33
|
puts 'Could not find local vulnerability database, going to download the database.'
|
34
34
|
YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
@@ -36,7 +36,9 @@ module DependencySpy
|
|
36
36
|
|
37
37
|
path = File.expand_path(path)
|
38
38
|
package_managers = find_platform(platform)
|
39
|
-
file_list = if
|
39
|
+
file_list = if !files.nil?
|
40
|
+
files.split(',')
|
41
|
+
elsif File.file?(path)
|
40
42
|
path = File.dirname(path)
|
41
43
|
[File.basename(path)]
|
42
44
|
else
|
@@ -61,9 +63,11 @@ module DependencySpy
|
|
61
63
|
unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
|
62
64
|
patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
|
63
65
|
|
64
|
-
|
65
|
-
|
66
|
-
|
66
|
+
if unaffected || patched
|
67
|
+
false
|
68
|
+
else
|
69
|
+
vulnerable
|
70
|
+
end
|
67
71
|
end
|
68
72
|
|
69
73
|
Dependency.new(package_name, version, type, vulnerabilities.uniq)
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -40,13 +40,14 @@ module DependencySpy
|
|
40
40
|
|
41
41
|
desc('check', 'Check dependencies for known vulnerabilities')
|
42
42
|
method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
|
43
|
+
method_option('files', :type => :string)
|
43
44
|
method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
|
44
45
|
method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
|
45
46
|
method_option('output-path', :aliases => :o, :type => :string)
|
46
47
|
method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
47
48
|
|
48
49
|
def check
|
49
|
-
manifests = API.check(options['path'], options['platform'], options['database-path'])
|
50
|
+
manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'])
|
50
51
|
|
51
52
|
formatted_output =
|
52
53
|
FORMATTERS
|
@@ -58,6 +59,11 @@ module DependencySpy
|
|
58
59
|
else
|
59
60
|
DependencySpy::Outputs::StdOut.write(formatted_output)
|
60
61
|
end
|
62
|
+
|
63
|
+
has_vulnerabilities =
|
64
|
+
manifests.any? { |manifest| manifest.dependencies.any? { |dependency| dependency.vulnerabilities.any? } }
|
65
|
+
|
66
|
+
exit(1) if has_vulnerabilities
|
61
67
|
end
|
62
68
|
|
63
69
|
method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-10-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -170,14 +170,14 @@ dependencies:
|
|
170
170
|
requirements:
|
171
171
|
- - "~>"
|
172
172
|
- !ruby/object:Gem::Version
|
173
|
-
version: '0.
|
173
|
+
version: '0.2'
|
174
174
|
type: :runtime
|
175
175
|
prerelease: false
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
177
177
|
requirements:
|
178
178
|
- - "~>"
|
179
179
|
- !ruby/object:Gem::Version
|
180
|
-
version: '0.
|
180
|
+
version: '0.2'
|
181
181
|
description: "\n Finds known vulnerabilities in your dependencies\n Using rubysec/ruby-advisory-db,
|
182
182
|
snyk.io, ossindex.net, nodesecurity.io\n "
|
183
183
|
email:
|