dependency_spy 0.2.2 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +3 -1
- data/dependency_spy.gemspec +1 -0
- data/lib/dependency_spy/cli.rb +17 -6
- data/lib/dependency_spy/formatters/text.rb +8 -3
- data/lib/dependency_spy/helper/helper.rb +13 -0
- data/lib/dependency_spy/version.rb +1 -1
- metadata +16 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0bd2e870a6e0baec4974d3d1eb6603c73b2d40cd
|
4
|
+
data.tar.gz: c07f0e46d2954d97a1787cc06355a97a465a2c64
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b8b3607be32c792bc9457a5c67fb539cbbacdfbffd09283c0aacff793c484be82f546ab88d5c6ef4bf23989b2eb47a86e85829e21abf169b6d70ffeedfececda
|
7
|
+
data.tar.gz: f9fe9f2185c0dc51514632c4a6b9cd1c2449dd517f369cfc77d5541e00bb2b4fa67f7e464f8db852ed0c984eea49a5283072fdd2ea33e193ba5cbc185854ae42
|
data/Gemfile.lock
CHANGED
@@ -1,8 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.3.0)
|
5
5
|
bibliothecary (~> 6.3)
|
6
|
+
colorize (~> 0.8.1)
|
6
7
|
semantic_range (~> 2.1)
|
7
8
|
thor (~> 0.20)
|
8
9
|
yavdb (~> 0.4)
|
@@ -23,6 +24,7 @@ GEM
|
|
23
24
|
citrus (3.0.2)
|
24
25
|
codacy-coverage (2.1.0)
|
25
26
|
simplecov
|
27
|
+
colorize (0.8.1)
|
26
28
|
commander (4.4.7)
|
27
29
|
highline (~> 2.0.0)
|
28
30
|
deb_control (0.0.1)
|
data/dependency_spy.gemspec
CHANGED
@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
|
|
36
36
|
|
37
37
|
# Runtime
|
38
38
|
spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
|
39
|
+
spec.add_runtime_dependency 'colorize', ['~> 0.8.1']
|
39
40
|
spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
|
40
41
|
spec.add_runtime_dependency 'thor', ['~> 0.20']
|
41
42
|
spec.add_runtime_dependency 'yavdb', ['~> 0.4']
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -23,6 +23,7 @@ require_relative 'formatters/json'
|
|
23
23
|
require_relative 'formatters/yaml'
|
24
24
|
require_relative 'outputs/stdout'
|
25
25
|
require_relative 'outputs/file'
|
26
|
+
require_relative 'helper/helper'
|
26
27
|
|
27
28
|
module DependencySpy
|
28
29
|
class CLI < Thor
|
@@ -46,14 +47,18 @@ module DependencySpy
|
|
46
47
|
method_option('output-path', :aliases => :o, :type => :string)
|
47
48
|
method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
48
49
|
method_option('offline', :type => :boolean, :default => false)
|
49
|
-
|
50
|
+
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
|
51
|
+
method_option('with-color', :type => :boolean, :default => true)
|
50
52
|
def check
|
51
53
|
manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
|
52
54
|
|
53
|
-
formatted_output =
|
54
|
-
|
55
|
-
|
56
|
-
|
55
|
+
formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
|
56
|
+
DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
|
57
|
+
else
|
58
|
+
FORMATTERS
|
59
|
+
.find { |f| f.name.split('::').last.downcase == options['formatter'] }
|
60
|
+
.format(manifests)
|
61
|
+
end
|
57
62
|
|
58
63
|
if options['output-path']
|
59
64
|
DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
|
@@ -62,7 +67,13 @@ module DependencySpy
|
|
62
67
|
end
|
63
68
|
|
64
69
|
has_vulnerabilities =
|
65
|
-
manifests.any?
|
70
|
+
manifests.any? do |manifest|
|
71
|
+
manifest[:dependencies]&.any? do |dependency|
|
72
|
+
dependency[:vulnerabilities]&.any? do |vuln|
|
73
|
+
DependencySpy::Helper.severity_above_threshold?(vuln.severity, options['severity-threshold'])
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
66
77
|
|
67
78
|
exit(1) if has_vulnerabilities
|
68
79
|
end
|
@@ -13,12 +13,14 @@
|
|
13
13
|
#
|
14
14
|
# You should have received a copy of the GNU Affero General Public License
|
15
15
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
16
|
+
require 'colorize'
|
17
|
+
require_relative '../helper/helper'
|
16
18
|
|
17
19
|
module DependencySpy
|
18
20
|
class Formatters
|
19
21
|
class Text
|
20
22
|
|
21
|
-
def self.format(manifests)
|
23
|
+
def self.format(manifests, severity_threshold = nil)
|
22
24
|
manifests_text = manifests.map do |manifest|
|
23
25
|
manifest_header = "#{manifest.platform}: #{manifest.kind} ~> #{manifest.path} "
|
24
26
|
manifest_body = manifest.dependencies.map do |package|
|
@@ -29,8 +31,11 @@ module DependencySpy
|
|
29
31
|
first = " Title: #{vuln.title}\n"
|
30
32
|
second = " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
|
31
33
|
third = " Source: #{vuln.source_url}\n\n"
|
32
|
-
|
33
|
-
|
34
|
+
if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
|
35
|
+
"#{first}#{second}#{third}".red
|
36
|
+
else
|
37
|
+
"#{first}#{second}#{third}"
|
38
|
+
end
|
34
39
|
end
|
35
40
|
|
36
41
|
"#{package_header}\n#{package_body.join("\n")}"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
module DependencySpy
|
2
|
+
class Helper
|
3
|
+
|
4
|
+
def self.severity_above_threshold?(severity = 'unknown', severity_threshold)
|
5
|
+
return true if severity_threshold == 'low' || severity == 'unknown'
|
6
|
+
return ['medium', 'high'].include? severity if severity_threshold == 'medium'
|
7
|
+
return severity == 'high' if severity_threshold == 'high'
|
8
|
+
|
9
|
+
false
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
13
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
@@ -136,6 +136,20 @@ dependencies:
|
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: '6.3'
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: colorize
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: 0.8.1
|
146
|
+
type: :runtime
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - "~>"
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 0.8.1
|
139
153
|
- !ruby/object:Gem::Dependency
|
140
154
|
name: semantic_range
|
141
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -215,6 +229,7 @@ files:
|
|
215
229
|
- lib/dependency_spy/formatters/json.rb
|
216
230
|
- lib/dependency_spy/formatters/text.rb
|
217
231
|
- lib/dependency_spy/formatters/yaml.rb
|
232
|
+
- lib/dependency_spy/helper/helper.rb
|
218
233
|
- lib/dependency_spy/outputs/file.rb
|
219
234
|
- lib/dependency_spy/outputs/stdout.rb
|
220
235
|
- lib/dependency_spy/semver.rb
|