dependency_spy 0.2.2 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +3 -1
- data/dependency_spy.gemspec +1 -0
- data/lib/dependency_spy/cli.rb +17 -6
- data/lib/dependency_spy/formatters/text.rb +8 -3
- data/lib/dependency_spy/helper/helper.rb +13 -0
- data/lib/dependency_spy/version.rb +1 -1
- metadata +16 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0bd2e870a6e0baec4974d3d1eb6603c73b2d40cd
|
4
|
+
data.tar.gz: c07f0e46d2954d97a1787cc06355a97a465a2c64
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b8b3607be32c792bc9457a5c67fb539cbbacdfbffd09283c0aacff793c484be82f546ab88d5c6ef4bf23989b2eb47a86e85829e21abf169b6d70ffeedfececda
|
7
|
+
data.tar.gz: f9fe9f2185c0dc51514632c4a6b9cd1c2449dd517f369cfc77d5541e00bb2b4fa67f7e464f8db852ed0c984eea49a5283072fdd2ea33e193ba5cbc185854ae42
|
data/Gemfile.lock
CHANGED
@@ -1,8 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.3.0)
|
5
5
|
bibliothecary (~> 6.3)
|
6
|
+
colorize (~> 0.8.1)
|
6
7
|
semantic_range (~> 2.1)
|
7
8
|
thor (~> 0.20)
|
8
9
|
yavdb (~> 0.4)
|
@@ -23,6 +24,7 @@ GEM
|
|
23
24
|
citrus (3.0.2)
|
24
25
|
codacy-coverage (2.1.0)
|
25
26
|
simplecov
|
27
|
+
colorize (0.8.1)
|
26
28
|
commander (4.4.7)
|
27
29
|
highline (~> 2.0.0)
|
28
30
|
deb_control (0.0.1)
|
data/dependency_spy.gemspec
CHANGED
@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
|
|
36
36
|
|
37
37
|
# Runtime
|
38
38
|
spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
|
39
|
+
spec.add_runtime_dependency 'colorize', ['~> 0.8.1']
|
39
40
|
spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
|
40
41
|
spec.add_runtime_dependency 'thor', ['~> 0.20']
|
41
42
|
spec.add_runtime_dependency 'yavdb', ['~> 0.4']
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -23,6 +23,7 @@ require_relative 'formatters/json'
|
|
23
23
|
require_relative 'formatters/yaml'
|
24
24
|
require_relative 'outputs/stdout'
|
25
25
|
require_relative 'outputs/file'
|
26
|
+
require_relative 'helper/helper'
|
26
27
|
|
27
28
|
module DependencySpy
|
28
29
|
class CLI < Thor
|
@@ -46,14 +47,18 @@ module DependencySpy
|
|
46
47
|
method_option('output-path', :aliases => :o, :type => :string)
|
47
48
|
method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
48
49
|
method_option('offline', :type => :boolean, :default => false)
|
49
|
-
|
50
|
+
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
|
51
|
+
method_option('with-color', :type => :boolean, :default => true)
|
50
52
|
def check
|
51
53
|
manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
|
52
54
|
|
53
|
-
formatted_output =
|
54
|
-
|
55
|
-
|
56
|
-
|
55
|
+
formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
|
56
|
+
DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
|
57
|
+
else
|
58
|
+
FORMATTERS
|
59
|
+
.find { |f| f.name.split('::').last.downcase == options['formatter'] }
|
60
|
+
.format(manifests)
|
61
|
+
end
|
57
62
|
|
58
63
|
if options['output-path']
|
59
64
|
DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
|
@@ -62,7 +67,13 @@ module DependencySpy
|
|
62
67
|
end
|
63
68
|
|
64
69
|
has_vulnerabilities =
|
65
|
-
manifests.any?
|
70
|
+
manifests.any? do |manifest|
|
71
|
+
manifest[:dependencies]&.any? do |dependency|
|
72
|
+
dependency[:vulnerabilities]&.any? do |vuln|
|
73
|
+
DependencySpy::Helper.severity_above_threshold?(vuln.severity, options['severity-threshold'])
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
66
77
|
|
67
78
|
exit(1) if has_vulnerabilities
|
68
79
|
end
|
@@ -13,12 +13,14 @@
|
|
13
13
|
#
|
14
14
|
# You should have received a copy of the GNU Affero General Public License
|
15
15
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
16
|
+
require 'colorize'
|
17
|
+
require_relative '../helper/helper'
|
16
18
|
|
17
19
|
module DependencySpy
|
18
20
|
class Formatters
|
19
21
|
class Text
|
20
22
|
|
21
|
-
def self.format(manifests)
|
23
|
+
def self.format(manifests, severity_threshold = nil)
|
22
24
|
manifests_text = manifests.map do |manifest|
|
23
25
|
manifest_header = "#{manifest.platform}: #{manifest.kind} ~> #{manifest.path} "
|
24
26
|
manifest_body = manifest.dependencies.map do |package|
|
@@ -29,8 +31,11 @@ module DependencySpy
|
|
29
31
|
first = " Title: #{vuln.title}\n"
|
30
32
|
second = " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
|
31
33
|
third = " Source: #{vuln.source_url}\n\n"
|
32
|
-
|
33
|
-
|
34
|
+
if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
|
35
|
+
"#{first}#{second}#{third}".red
|
36
|
+
else
|
37
|
+
"#{first}#{second}#{third}"
|
38
|
+
end
|
34
39
|
end
|
35
40
|
|
36
41
|
"#{package_header}\n#{package_body.join("\n")}"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
module DependencySpy
|
2
|
+
class Helper
|
3
|
+
|
4
|
+
def self.severity_above_threshold?(severity = 'unknown', severity_threshold)
|
5
|
+
return true if severity_threshold == 'low' || severity == 'unknown'
|
6
|
+
return ['medium', 'high'].include? severity if severity_threshold == 'medium'
|
7
|
+
return severity == 'high' if severity_threshold == 'high'
|
8
|
+
|
9
|
+
false
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
13
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
@@ -136,6 +136,20 @@ dependencies:
|
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: '6.3'
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: colorize
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: 0.8.1
|
146
|
+
type: :runtime
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - "~>"
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 0.8.1
|
139
153
|
- !ruby/object:Gem::Dependency
|
140
154
|
name: semantic_range
|
141
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -215,6 +229,7 @@ files:
|
|
215
229
|
- lib/dependency_spy/formatters/json.rb
|
216
230
|
- lib/dependency_spy/formatters/text.rb
|
217
231
|
- lib/dependency_spy/formatters/yaml.rb
|
232
|
+
- lib/dependency_spy/helper/helper.rb
|
218
233
|
- lib/dependency_spy/outputs/file.rb
|
219
234
|
- lib/dependency_spy/outputs/stdout.rb
|
220
235
|
- lib/dependency_spy/semver.rb
|