dependency_spy 0.1.4 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4dafbfcad987ca150684d454d2f8a1b46d91d6c6
-  data.tar.gz: 42aed12f4b93852fcf3d55c4d095b66a6538eb39
+  metadata.gz: f49de1317ff3ca8c8aec33d988ec30d8b3e0af81
+  data.tar.gz: 520b51be4d74d30e991bfc5de3217fe3d701bc7d
 SHA512:
-  metadata.gz: '001439d501b54d23b34c198669335d75334667e5ccd626ece01cfb76eb537d7b203498778c123b25607bde21bfd63991d0e22ddccfb01d9feeea7d8efcfca7c7'
-  data.tar.gz: 5e00f6b3b6093a1ce6f8fd1ba5d669f8907a4b92dda8999907283050be2e08af2a7af81f801197e31f4e0bc7b14391f26496426ba03103ab7ebb2fc97ce76a44
+  metadata.gz: f55af66046ca23171e7eeca25a8e18f35eae07fa73e27e1623209f6017c6801d590d3f4a992fcf0622d27256cb4766b32168e57229699c2c97e3cd1b37dee853
+  data.tar.gz: 774dcfcfc185696fb6ac454c649be5207812d04ea4f8c533846846254834a3f6e05f7eb5e8e5c03bb5b4669aee3d9ec527623f717b61cee390e3ee4186a8148b

data/.circleci/config.yml

@@ -26,6 +26,10 @@ jobs:
         paths:
           - /tmp/vendor/bundle
 
+      - name: Vulnerable dependencies
+        type: shell
+        command: bundle exec depspy check --files Gemfile,Gemfile.lock
+
       - name: Rubocop
         type: shell
         command: bundle exec rubocop

data/Gemfile.lock

@@ -1,11 +1,11 @@
 PATH
   remote: .
   specs:
-    dependency_spy (0.1.4)
+    dependency_spy (0.2.0)
       bibliothecary (~> 6.3)
       semantic_range (~> 2.1)
       thor (~> 0.20)
-      yavdb (~> 0.1)
+      yavdb (~> 0.2)
 
 GEM
   remote: https://rubygems.org/
@@ -89,7 +89,7 @@ GEM
     typhoeus (1.3.0)
       ethon (>= 0.9.0)
     unicode-display_width (1.4.0)
-    yavdb (0.1.2)
+    yavdb (0.2.0)
       json (~> 2.1)
       kramdown (~> 1.17)
       oga (~> 2.15)

data/README.md

@@ -4,11 +4,11 @@
 [![Codacy Badge](https://api.codacy.com/project/badge/Coverage/5ae8d9aa788e4855965974f480a0b91b)](https://www.codacy.com/app/rtfpessoa/dependency_spy?utm_source=github.com&utm_medium=referral&utm_content=rtfpessoa/dependency_spy&utm_campaign=Badge_Coverage)
 [![CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy.svg?style=svg)](https://circleci.com/gh/rtfpessoa/dependency_spy)
 
-Finds known vulnerabilities in your dependencies
+Finds known vulnerabilities in your dependencies using [yavdb](https://github.com/rtfpessoa/yavdb) as the source agregator of vulnerabilities.
 
 Thanks to the amazing work done by [libraries.io](https://libraries.io/) all the dependency manifest parsing is
 handled by [bibliothecary](https://github.com/librariesio/bibliothecary) and this means we have support for more than 20
-package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed below.
+package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in [yavdb](https://github.com/rtfpessoa/yavdb#yet-another-vulnerability-database).
 
 ## Disclaimer
 
@@ -30,15 +30,14 @@ Use as a complement to other tools at your own risk.
 ## Prerequisites
 
 * Ruby 2.3 or newer
+* Bundler `gem install bundler`
 
 ## Installation
 
 ```sh
-gem install dependency_spy --pre
+gem install dependency_spy
 ```
 
-> Notice the `--pre` in the end
-
 ## Usage
 
 ### Examples
@@ -56,6 +55,7 @@ depspy
 
 #### Features/Improvements
 
+- [ ] Ignore vulnerabilities
 - [ ] Improve output formatters
 - [ ] Add more output options
 

data/dependency_spy.gemspec

@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
   spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
   spec.add_runtime_dependency 'thor', ['~> 0.20']
-  spec.add_runtime_dependency 'yavdb', ['~> 0.1']
+  spec.add_runtime_dependency 'yavdb', ['~> 0.2']
 end

data/lib/dependency_spy.rb

@@ -28,7 +28,7 @@ require_relative 'dependency_spy/semver'
 module DependencySpy
   class API
 
-    def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
+    def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
       unless File.exist?(database_path)
         puts 'Could not find local vulnerability database, going to download the database.'
         YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
@@ -36,7 +36,9 @@ module DependencySpy
 
       path             = File.expand_path(path)
       package_managers = find_platform(platform)
-      file_list        = if File.file?(path)
+      file_list        = if !files.nil?
+                           files.split(',')
+                         elsif File.file?(path)
                            path = File.dirname(path)
                            [File.basename(path)]
                          else
@@ -61,9 +63,11 @@ module DependencySpy
             unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
             patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
 
-            vulnerable ||
-              (vuln.unaffected_versions&.any? && !unaffected) ||
-              (vuln.patched_versions&.any? && !patched)
+            if unaffected || patched
+              false
+            else
+              vulnerable
+            end
           end
 
           Dependency.new(package_name, version, type, vulnerabilities.uniq)

data/lib/dependency_spy/cli.rb

@@ -40,13 +40,14 @@ module DependencySpy
 
     desc('check', 'Check dependencies for known vulnerabilities')
     method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
+    method_option('files', :type => :string)
     method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
     method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
     method_option('output-path', :aliases => :o, :type => :string)
     method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
 
     def check
-      manifests = API.check(options['path'], options['platform'], options['database-path'])
+      manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'])
 
       formatted_output =
         FORMATTERS
@@ -58,6 +59,11 @@ module DependencySpy
       else
         DependencySpy::Outputs::StdOut.write(formatted_output)
       end
+
+      has_vulnerabilities =
+        manifests.any? { |manifest| manifest.dependencies.any? { |dependency| dependency.vulnerabilities.any? } }
+
+      exit(1) if has_vulnerabilities
     end
 
     method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)

data/lib/dependency_spy/version.rb

@@ -16,6 +16,6 @@
 
 module DependencySpy
 
-  VERSION = '0.1.4'
+  VERSION = '0.2.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependency_spy
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.2.0
 platform: ruby
 authors:
 - Rodrigo Fernandes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-29 00:00:00.000000000 Z
+date: 2018-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -170,14 +170,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '0.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '0.2'
 description: "\n    Finds known vulnerabilities in your dependencies\n    Using rubysec/ruby-advisory-db,
   snyk.io, ossindex.net, nodesecurity.io\n  "
 email: