dependency_spy 0.3.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0bd2e870a6e0baec4974d3d1eb6603c73b2d40cd
-  data.tar.gz: c07f0e46d2954d97a1787cc06355a97a465a2c64
+SHA256:
+  metadata.gz: bb58e1e3a80a6baba1c4c5386805977e22efba6b5a3e2631f732d08846034a2e
+  data.tar.gz: 989f3375b5eed793e0711592b17aafa2444de743cdf5a234fb9888fe309a26bc
 SHA512:
-  metadata.gz: b8b3607be32c792bc9457a5c67fb539cbbacdfbffd09283c0aacff793c484be82f546ab88d5c6ef4bf23989b2eb47a86e85829e21abf169b6d70ffeedfececda
-  data.tar.gz: f9fe9f2185c0dc51514632c4a6b9cd1c2449dd517f369cfc77d5541e00bb2b4fa67f7e464f8db852ed0c984eea49a5283072fdd2ea33e193ba5cbc185854ae42
+  metadata.gz: 5d1be8417cab3fb934aab4d31a531f6a3da7587e09565080afbf0ef91d76e70bb48c054b8d470e8d80dcd6e5e80292ffd73e31372f08df00a3dc1b9b1e0dda19
+  data.tar.gz: 467f4211c000f6439701f3ec494f09928daa4f858300f837d5366b77b2dbd306586cb3636bbaca4e095a307a606836359c6645a1e9b7311e6a3036a2045b7eb8

data/.circleci/config.yml

@@ -4,21 +4,20 @@ jobs:
   build-lint-test:
     working_directory: ~/dependency_spy
     docker:
-      - image: circleci/ruby:2.3.7
+      - image: circleci/ruby:2.5.5
     steps:
       - checkout
 
-      - name: Install Bundler Version
-        type: shell
-        command: gem install bundler -v 1.16
-
       - name: Restore cache
         type: cache-restore
         key: yavdb-{{ checksum "Gemfile.lock" }}
 
       - name: Bundle Install
         type: shell
-        command: bundle install --path /tmp/vendor/bundle
+        command: |
+          sudo gem update --system
+          gem install bundler
+          bundle install --path /tmp/vendor/bundle
 
       - name: Save cache
         type: cache-save
@@ -28,7 +27,7 @@ jobs:
 
       - name: Vulnerable dependencies
         type: shell
-        command: bundle exec depspy check --files Gemfile,Gemfile.lock
+        command: bundle exec bin/depspy check --files Gemfile,Gemfile.lock
 
       - name: Rubocop
         type: shell

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. Windows, Linux, Mac]
+ - Ruby Version [e.g. 2.5.5]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

data/.gitignore

@@ -112,3 +112,5 @@ build-iPhoneSimulator/
 *.iml
 
 # End of https://www.gitignore.io/api/jetbrains,ruby
+
+.depspy.yml

data/.rubocop.yml

@@ -1,63 +1,69 @@
+inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop-performance
+  - rubocop-rspec
+
 AllCops:
   # Include common Ruby source files.
   Include:
-  - '**/*.builder'
-  - '**/*.fcgi'
-  - '**/*.gemspec'
-  - '**/*.god'
-  - '**/*.jb'
-  - '**/*.jbuilder'
-  - '**/*.mspec'
-  - '**/*.opal'
-  - '**/*.pluginspec'
-  - '**/*.podspec'
-  - '**/*.rabl'
-  - '**/*.rake'
-  - '**/*.rb'
-  - '**/*.rbuild'
-  - '**/*.rbw'
-  - '**/*.rbx'
-  - '**/*.ru'
-  - '**/*.ruby'
-  - '**/*.spec'
-  - '**/*.thor'
-  - '**/*.watchr'
-  - '**/.irbrc'
-  - '**/.pryrc'
-  - '**/buildfile'
-  - '**/config.ru'
-  - '**/Appraisals'
-  - '**/Berksfile'
-  - '**/Brewfile'
-  - '**/Buildfile'
-  - '**/Capfile'
-  - '**/Cheffile'
-  - '**/Dangerfile'
-  - '**/Deliverfile'
-  - '**/Fastfile'
-  - '**/*Fastfile'
-  - '**/Gemfile'
-  - '**/Guardfile'
-  - '**/Jarfile'
-  - '**/Mavenfile'
-  - '**/Podfile'
-  - '**/Puppetfile'
-  - '**/Rakefile'
-  - '**/Snapfile'
-  - '**/Thorfile'
-  - '**/Vagabondfile'
-  - '**/Vagrantfile'
+    - "**/*.builder"
+    - "**/*.fcgi"
+    - "**/*.gemspec"
+    - "**/*.god"
+    - "**/*.jb"
+    - "**/*.jbuilder"
+    - "**/*.mspec"
+    - "**/*.opal"
+    - "**/*.pluginspec"
+    - "**/*.podspec"
+    - "**/*.rabl"
+    - "**/*.rake"
+    - "**/*.rb"
+    - "**/*.rbuild"
+    - "**/*.rbw"
+    - "**/*.rbx"
+    - "**/*.ru"
+    - "**/*.ruby"
+    - "**/*.spec"
+    - "**/*.thor"
+    - "**/*.watchr"
+    - "**/.irbrc"
+    - "**/.pryrc"
+    - "**/buildfile"
+    - "**/config.ru"
+    - "**/Appraisals"
+    - "**/Berksfile"
+    - "**/Brewfile"
+    - "**/Buildfile"
+    - "**/Capfile"
+    - "**/Cheffile"
+    - "**/Dangerfile"
+    - "**/Deliverfile"
+    - "**/Fastfile"
+    - "**/*Fastfile"
+    - "**/Gemfile"
+    - "**/Guardfile"
+    - "**/Jarfile"
+    - "**/Mavenfile"
+    - "**/Podfile"
+    - "**/Puppetfile"
+    - "**/Rakefile"
+    - "**/Snapfile"
+    - "**/Thorfile"
+    - "**/Vagabondfile"
+    - "**/Vagrantfile"
   Exclude:
-  - 'database/**/*'
-  - 'db/**/*'
-  - 'tmp/**/*'
-  - 'vendor/**/*'
-  - 'bin/**/*'
-  - 'log/**/*'
+    - "database/**/*"
+    - "db/**/*"
+    - "tmp/**/*"
+    - "vendor/**/*"
+    - "bin/**/*"
+    - "log/**/*"
   DefaultFormatter: progress
   UseCache: false
   DisplayCopNames: false
-  TargetRubyVersion: 2.3.7
+  TargetRubyVersion: 2.5.5
 
 Gemspec/OrderedDependencies:
   Enabled: true
@@ -82,7 +88,7 @@ Layout/EmptyLinesAroundClassBody:
   Enabled: true
   EnforcedStyle: empty_lines_except_namespace
   Exclude:
-  - "lib/dependency_spy/dtos/dependency.rb"
+    - "lib/dependency_spy/dtos/dependency.rb"
 
 Layout/EmptyLinesAroundMethodBody:
   Enabled: true
@@ -94,18 +100,18 @@ Layout/EmptyLinesAroundModuleBody:
 Layout/ExtraSpacing:
   Enabled: true
 
-Layout/FirstParameterIndentation:
+Layout/FirstArgumentIndentation:
   Enabled: true
   EnforcedStyle: consistent
   IndentationWidth: 2
 
-Layout/IndentArray:
+Layout/FirstArrayElementIndentation:
   Enabled: true
 
-Layout/IndentAssignment:
+Layout/AssignmentIndentation:
   Enabled: true
 
-Layout/IndentHash:
+Layout/FirstHashElementIndentation:
   Enabled: true
 
 Layout/MultilineHashBraceLayout:
@@ -122,7 +128,7 @@ Layout/MultilineOperationIndentation:
 Layout/SpaceAfterComma:
   Enabled: true
 
-Layout/AlignParameters:
+Layout/ParameterAlignment:
   Enabled: true
   EnforcedStyle: with_fixed_indentation
 
@@ -153,7 +159,7 @@ Lint/UselessAccessModifier:
 Lint/UselessAssignment:
   Enabled: true
 
-Lint/HandleExceptions:
+Lint/SuppressedException:
   Enabled: true
 
 Metrics/AbcSize:
@@ -164,7 +170,7 @@ Metrics/BlockLength:
   Enabled: true
   Max: 51
   Exclude:
-  - "spec/snyk_io_spec.rb"
+    - "spec/snyk_io_spec.rb"
 
 Metrics/ClassLength:
   Enabled: false
@@ -174,7 +180,7 @@ Metrics/CyclomaticComplexity:
   Enabled: false
   Max: 15
 
-Metrics/LineLength:
+Layout/LineLength:
   Enabled: false
   Max: 147
 
@@ -316,10 +322,10 @@ Style/TrailingCommaInHashLiteral:
   Enabled: true
   EnforcedStyleForMultiline: no_comma
 
-Style/UnneededInterpolation:
+Style/RedundantInterpolation:
   Enabled: true
 
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
   Enabled: true
 
 Style/WhileUntilDo:

data/.rubocop_todo.yml

@@ -0,0 +1,34 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config --auto-gen-only-exclude`
+# on 2020-01-01 22:58:30 +0000 using RuboCop version 0.78.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 4
+# Configuration parameters: Max.
+RSpec/ExampleLength:
+  Exclude:
+    - 'spec/dependency_spy_cli_spec.rb'
+    - 'spec/dependency_spy_spec.rb'
+
+# Offense count: 2
+# Configuration parameters: CustomTransform, IgnoreMethods.
+RSpec/FilePath:
+  Exclude:
+    - 'spec/dependency_spy_cli_spec.rb'
+    - 'spec/dependency_spy_spec.rb'
+
+# Offense count: 5
+# Configuration parameters: .
+# SupportedStyles: have_received, receive
+RSpec/MessageSpies:
+  EnforcedStyle: receive
+
+# Offense count: 3
+# Configuration parameters: Max, AggregateFailuresByDefault.
+RSpec/MultipleExpectations:
+  Exclude:
+    - 'spec/dependency_spy_cli_spec.rb'
+    - 'spec/dependency_spy_spec.rb'

data/.ruby-version

@@ -1 +1 @@
-2.3.7
+2.5.5

data/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+## How to contribute to dependency_spy
+
+### Main rules
+
+* Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
+
+* If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
+
+* Before sending a pull request make sure your code is tested.
+
+* Before sending a pull request for a feature, be sure to run tests.
+
+* Use the same coding style as the rest of the codebase.
+
+* Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
+
+* After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
+and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
+
+### Commit Style
+
+Writing good commit logs is important. A commit log should describe what changed and why.
+Follow these guidelines when writing one:
+
+1. The first line should be 50 characters or less and contain a short
+   description of the change prefixed with the name of the changed
+   subsystem (e.g. "net: add localAddress and localPort to Socket").
+2. Keep the second line blank.
+3. Wrap all other lines at 72 columns.
+
+A good commit log can look something like this:
+
+```
+subsystem: explaining the commit in one line
+
+Body of commit message is a few lines of text, explaining things
+in more detail, possibly giving some background about the issue
+being fixed, etc. etc.
+
+The body of the commit message can be several paragraphs, and
+please do proper word-wrap and keep columns shorter than about
+72 characters or so. That way `git log` will show things
+nicely even when it is indented.
+```
+
+### Developer's Certificate of Origin 1.0
+
+By making a contribution to this project, I certify that:
+
+* (a) The contribution was created in whole or in part by me and I
+  have the right to submit it under the open source license indicated
+  in the file; or
+* (b) The contribution is based upon previous work that, to the best
+  of my knowledge, is covered under an appropriate open source license
+  and I have the right under that license to submit that work with
+  modifications, whether created in whole or in part by me, under the
+  same open source license (unless I am permitted to submit under a
+  different license), as indicated in the file; or
+* (c) The contribution was provided directly to me by some other
+  person who certified (a), (b) or (c) and I have not modified it.

data/Gemfile.lock

@@ -1,116 +1,135 @@
 PATH
   remote: .
   specs:
-    dependency_spy (0.3.0)
-      bibliothecary (~> 6.3)
-      colorize (~> 0.8.1)
-      semantic_range (~> 2.1)
+    dependency_spy (0.6.1)
+      bibliothecary (~> 6.6)
+      colorize (= 0.8.1)
+      semantic_range (~> 2.2)
       thor (~> 0.20)
-      yavdb (~> 0.4)
+      yavdb (~> 0.5)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ansi (1.5.0)
     ast (2.4.0)
-    bibliothecary (6.3.1)
+    bibliothecary (6.8.5)
       commander
       deb_control
       librariesio-gem-parser
       ox (>= 2.8.1)
       sdl4r
+      strings
+      strings-ansi
       toml-rb (~> 1.0)
       typhoeus
     citrus (3.0.2)
-    codacy-coverage (2.1.0)
+    codacy-coverage (2.2.0)
       simplecov
     colorize (0.8.1)
     commander (4.4.7)
       highline (~> 2.0.0)
     deb_control (0.0.1)
     diff-lcs (1.3)
-    docile (1.3.1)
-    ethon (0.11.0)
+    docile (1.3.2)
+    ethon (0.12.0)
       ffi (>= 1.3.0)
-    ffi (1.9.25)
-    highline (2.0.0)
-    jaro_winkler (1.5.1)
-    json (2.1.0)
-    kramdown (1.17.0)
+    execjs (2.7.0)
+    ffi (1.11.3)
+    highline (2.0.3)
+    jaro_winkler (1.5.4)
+    json (2.3.0)
+    kramdown (2.3.0)
+      rexml
     librariesio-gem-parser (1.0.0)
+    libv8 (3.16.14.19-x86_64-linux)
     oga (2.15)
       ast
       ruby-ll (~> 2.1)
-    ox (2.10.0)
-    parallel (1.12.1)
-    parser (2.5.1.2)
+    ox (2.12.0)
+    parallel (1.19.1)
+    parser (2.7.0.2)
       ast (~> 2.4.0)
-    powerpack (0.1.2)
     rainbow (3.0.0)
-    rake (12.3.1)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-collection_matchers (1.1.3)
+    rake (13.0.1)
+    ref (2.0.0)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-collection_matchers (1.2.0)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    rubocop (0.60.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.2)
+    rubocop (0.79.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
-      powerpack (~> 0.1)
+      parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (~> 1.4.0)
-    rubocop-rspec (1.30.0)
-      rubocop (>= 0.58.0)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    rubocop-performance (1.5.2)
+      rubocop (>= 0.71.0)
+    rubocop-rspec (1.37.1)
+      rubocop (>= 0.68.1)
     ruby-ll (2.1.2)
       ansi
       ast
-    ruby-progressbar (1.10.0)
+    ruby-progressbar (1.10.1)
     sdl4r (0.9.11)
     semantic_interval (0.1.0)
-    semantic_range (2.1.0)
-    simplecov (0.16.1)
+    semantic_range (2.2.1)
+    simplecov (0.17.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    thor (0.20.0)
+    strings (0.1.8)
+      strings-ansi (~> 0.1)
+      unicode-display_width (~> 1.5)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.2.0)
+    therubyracer (0.12.3)
+      libv8 (~> 3.16.14.15)
+      ref
+    thor (0.20.3)
     toml-rb (1.1.2)
       citrus (~> 3.0, > 3.0)
-    typhoeus (1.3.0)
+    typhoeus (1.3.1)
       ethon (>= 0.9.0)
-    unicode-display_width (1.4.0)
-    yavdb (0.4.1)
-      json (~> 2.1)
-      kramdown (~> 1.17)
+    unicode-display_width (1.6.0)
+    unicode_utils (1.4.0)
+    yavdb (0.5.5)
+      execjs (~> 2.7)
+      json (~> 2.2)
+      kramdown (~> 2.1)
       oga (~> 2.15)
       semantic_interval (~> 0.1)
+      therubyracer (~> 0.12)
       thor (~> 0.20)
+      toml-rb (~> 1.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.16)
   codacy-coverage
   dependency_spy!
-  rake (~> 12.3)
+  rake (~> 13.0)
   rspec (~> 3.8)
   rspec-collection_matchers (~> 1.1)
   rubocop (~> 0.59)
+  rubocop-performance (~> 1.5)
   rubocop-rspec (~> 1.29)
   simplecov
 
 BUNDLED WITH
-   1.16.6
+   2.1.4

data/README.md

@@ -26,11 +26,11 @@ Use as a complement to other tools at your own risk.
 * Packagist
 * Pypi
 * Go
+* Cargo
 
 ## Prerequisites
 
 * Ruby 2.3 or newer
-* Bundler `gem install bundler`
 
 ## Installation
 

data/dependency_spy.gemspec

@@ -20,24 +20,24 @@ Gem::Specification.new do |spec|
   spec.executables   = ['dependency_spy', 'depspy']
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.3.7'
+  spec.required_ruby_version = '>= 2.5.5'
 
   # Development
-  spec.add_development_dependency 'bundler', ['~> 1.16']
   spec.add_development_dependency 'codacy-coverage'
-  spec.add_development_dependency 'rake', ['~> 12.3']
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', ['~> 3.8']
   spec.add_development_dependency 'rspec-collection_matchers', ['~> 1.1']
   spec.add_development_dependency 'simplecov'
 
   # Linters
   spec.add_development_dependency 'rubocop', ['~> 0.59']
+  spec.add_development_dependency 'rubocop-performance', ['~> 1.5']
   spec.add_development_dependency 'rubocop-rspec', ['~> 1.29']
 
   # Runtime
-  spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
-  spec.add_runtime_dependency 'colorize', ['~> 0.8.1']
-  spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
+  spec.add_runtime_dependency 'bibliothecary', ['~> 6.6']
+  spec.add_runtime_dependency 'colorize', ['0.8.1']
+  spec.add_runtime_dependency 'semantic_range', ['~> 2.2']
   spec.add_runtime_dependency 'thor', ['~> 0.20']
-  spec.add_runtime_dependency 'yavdb', ['~> 0.4']
+  spec.add_runtime_dependency 'yavdb', ['~> 0.5']
 end

data/example.depspy.yml

@@ -0,0 +1,12 @@
+path: '/path/to/files' # Path to find files. DEFAULT: Dir.pwd
+files: 'comma.sep,file.list' # Specific file list relative to `path`. DEFAULT: All files
+formatter: 'text' # Output format. DEFAULT: text; AVAILABLE: text,json,yaml
+platform: 'rubygems' # Supported YAVDB package manager lookup. DEFAULT: not specified (ALL); AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L31)
+output-path: '/path/to/output' # Path to generate report to. DEFAULT: not specified (console output)
+database-path: '/path/to/yavdb/database' # Path to find/store local YAVDB DB. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L28)
+offline: false # Operate in offline mode (don't try to get YAVDB). Must have local YAVDB available. DEFAULT: false; AVAILABLE: true,false
+severity-threshold: 'low' # Threshold for non-zero exit status. Doesn't change output. DEFAULT: 'low'; AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L33)
+with-color: true # Generate colored console output. DEFAULT: true; AVAILABLE: true,false
+ignore: # A list of all YAVDB vulnerability identifiers to ignore. Removes from output.
+  - "identifier:to:ignore:19551105"
+vuln-db-path: '/path/to/yavdb' # Path to local YAVDB for updating. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L27)

data/lib/dependency_spy.rb

@@ -28,25 +28,32 @@ require_relative 'dependency_spy/semver'
 module DependencySpy
   class API
 
-    def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false)
+    def self.check(options)
+      verbose = options[:verbose]
+      path = options[:path] || Dir.pwd
+      files = options[:files]
+      platform = options[:platform]
+      database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
+      offline = options[:offline] || false
+      ignore = options[:ignore] || []
+
       if !File.exist?(database_path) && offline
         puts 'No local database found. Cannot obtain database since offline mode is enabled.'
         exit(10)
       elsif !offline
-        puts 'Going to update the local vulnerability database.'
+        puts 'Going to update the local vulnerability database.' if verbose
         YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
       end
 
       path             = File.expand_path(path)
       package_managers = find_platform(platform)
       file_list        = if !files.nil?
-                           files.split(',')
+                           files.split(',').map { |f| "#{path}/#{f}" }
                          elsif File.file?(path)
                            path = File.dirname(path)
                            [File.basename(path)]
                          else
-                           cmd = `find #{path} -type f | grep -vE "#{Bibliothecary.ignored_files_regex}"`
-                           cmd.split("\n").sort
+                           Bibliothecary.load_file_info_list(path).map(&:full_path)
                          end
       manifests        = package_managers.map { |pm| pm.analyse(path, file_list) }.flatten.compact
       manifests.map do |manifest|
@@ -65,9 +72,13 @@ module DependencySpy
             vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
             unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
             patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
+            ignored    = ignore.include?(vuln.id)
 
             if unaffected || patched
               false
+            elsif ignored
+              puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
+              false
             else
               vulnerable
             end

data/lib/dependency_spy/cli.rb

@@ -24,6 +24,7 @@ require_relative 'formatters/yaml'
 require_relative 'outputs/stdout'
 require_relative 'outputs/file'
 require_relative 'helper/helper'
+require_relative 'helper/config_file'
 
 module DependencySpy
   class CLI < Thor
@@ -37,31 +38,49 @@ module DependencySpy
       DependencySpy::Formatters::Yaml
     ]
 
-    class_option('verbose', :type => :boolean, :default => false)
+    class_option('verbose', :type => :boolean)
 
     desc('check', 'Check dependencies for known vulnerabilities')
-    method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
+    method_option('config-file-path', :aliases => :c, :type => :string)
+    method_option('path', :aliases => :p, :type => :string)
     method_option('files', :type => :string)
-    method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
+    method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase })
     method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
     method_option('output-path', :aliases => :o, :type => :string)
-    method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
-    method_option('offline', :type => :boolean, :default => false)
-    method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
-    method_option('with-color', :type => :boolean, :default => true)
+    method_option('database-path', :type => :string, :aliases => :p)
+    method_option('offline', :type => :boolean)
+    method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES)
+    method_option('with-color', :type => :boolean)
+    method_option('ignore', :aliases => :i, :type => :array)
     def check
-      manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
+      defaults = {
+        'verbose' => false,
+        'path' => Dir.pwd,
+        'formatter' => FORMATTERS.first.name.split('::').last.downcase,
+        'database-path' => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH,
+        'offline' => false,
+        'severity-threshold' => 'low',
+        'with-color' => true,
+        'ignore' => []
+      }
+      the_options = defaults.merge(options)
 
-      formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
-                           DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
+      api_options = the_options.transform_keys(&:to_sym)
+      api_options[:database_path] = api_options[:'database-path']
+      the_options.freeze
+      api_options.freeze
+      manifests = API.check(api_options)
+
+      formatted_output = if (the_options['formatter'] == 'text') && !the_options['output-path'] && the_options['with-color']
+                           DependencySpy::Formatters::Text.format(manifests, the_options['severity-threshold'])
                          else
                            FORMATTERS
-                             .find { |f| f.name.split('::').last.downcase == options['formatter'] }
+                             .find { |f| f.name.split('::').last.downcase == the_options['formatter'] }
                              .format(manifests)
                          end
 
-      if options['output-path']
-        DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
+      if the_options['output-path']
+        DependencySpy::Outputs::FileSystem.write(the_options['output-path'], formatted_output)
       else
         DependencySpy::Outputs::StdOut.write(formatted_output)
       end
@@ -70,7 +89,7 @@ module DependencySpy
         manifests.any? do |manifest|
           manifest[:dependencies]&.any? do |dependency|
             dependency[:vulnerabilities]&.any? do |vuln|
-              DependencySpy::Helper.severity_above_threshold?(vuln.severity, options['severity-threshold'])
+              DependencySpy::Helper.severity_above_threshold?(vuln.severity, the_options['severity-threshold'])
             end
           end
         end
@@ -78,11 +97,25 @@ module DependencySpy
       exit(1) if has_vulnerabilities
     end
 
-    method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
+    method_option('vuln-db-path', :aliases => :d, :type => :string)
     desc('update', 'Download or update database from the official yavdb repository.')
 
     def update
-      API.update(options['vuln-db-path'])
+      defaults = {
+        'verbose' => false,
+        'vuln-db-path' => YAVDB::Constants::DEFAULT_YAVDB_PATH
+      }
+      the_options = defaults.merge(options)
+      the_options.freeze
+      API.update(the_options['vuln-db-path'])
+    end
+
+    private
+
+    def options
+      cli_options = super
+      config_file_options = DependencySpy::ConfigFile.get_config(cli_options[:'config-file-path'])
+      config_file_options.merge(cli_options)
     end
 
   end

data/lib/dependency_spy/formatters/json.rb

@@ -29,7 +29,7 @@ module DependencySpy
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_json
       end
 
     end

data/lib/dependency_spy/formatters/text.rb

@@ -28,13 +28,15 @@ module DependencySpy
 
             package_header = "    Vulnerable: #{package.name}/#{package.type}:#{package.version}"
             package_body = package.vulnerabilities.map do |vuln|
-              first = "        Title: #{vuln.title}\n"
-              second = "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
-              third = "        Source: #{vuln.source_url}\n\n"
+              body = ''
+              body += "        Title: #{vuln.title}\n"
+              body += "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
+              body += "        Source: #{vuln.source_url}\n"
+              body += "        Identifier: #{vuln.id}\n\n"
               if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
-                "#{first}#{second}#{third}".red
+                body.red
               else
-                "#{first}#{second}#{third}"
+                body
               end
             end
 

data/lib/dependency_spy/formatters/yaml.rb

@@ -29,7 +29,7 @@ module DependencySpy
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_yaml
       end
 
     end

data/lib/dependency_spy/helper/config_file.rb

@@ -0,0 +1,41 @@
+require 'yaml'
+
+module DependencySpy
+  class ConfigFile
+
+    SAFE_CONFIG_PARAMS = [
+      'path',
+      'files',
+      'formatter',
+      'platform',
+      'output-path',
+      'database-path',
+      'offline',
+      'severity-threshold',
+      'with-color',
+      'ignore',
+      'vuln-db-path'
+    ].freeze
+
+    def self.get_config(config_file_path = nil)
+      if !config_file_path.nil? && !File.file?(config_file_path)
+        puts 'Config file specified but not found.'
+        exit(10)
+
+      end
+
+      begin
+        file_path = config_file_path || '.depspy.yml'
+        config = YAML.load_file(file_path) || {}
+        config.slice(*SAFE_CONFIG_PARAMS)
+      rescue Errno::ENOENT
+        {}
+      rescue Psych::SyntaxError => e
+        puts 'Config File Parsing Error:'
+        puts e.message
+        exit(10)
+      end
+    end
+
+  end
+end

data/lib/dependency_spy/semver.rb

@@ -42,6 +42,7 @@ module DependencySpy
       private
 
       def parse(version_or_range, loose = false)
+        version_or_range = '>= 0.0.0' if version_or_range == '*'
         return version_or_range if version_or_range.is_a?(SemanticRange::Range) ||
                                    version_or_range.is_a?(SemanticRange::Version)
 

data/lib/dependency_spy/version.rb

@@ -16,6 +16,6 @@
 
 module DependencySpy
 
-  VERSION = '0.3.0'
+  VERSION = '0.6.1'
 
 end

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: dependency_spy
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Rodrigo Fernandes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-28 00:00:00.000000000 Z
+date: 2020-09-04 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.16'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: codacy-coverage
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.59'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
@@ -128,26 +128,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.3'
+        version: '6.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.3'
+        version: '6.6'
 - !ruby/object:Gem::Dependency
   name: colorize
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
         version: 0.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
         version: 0.8.1
 - !ruby/object:Gem::Dependency
@@ -156,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -184,14 +184,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.5'
 description: "\n    Finds known vulnerabilities in your dependencies\n    Using rubysec/ruby-advisory-db,
   snyk.io, ossindex.net, nodesecurity.io\n  "
 email:
@@ -203,11 +203,15 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".circleci/config.yml"
+- ".github/ISSUE_TEMPLATE/bug_report.md"
+- ".github/ISSUE_TEMPLATE/feature_request.md"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".rubocop_todo.yml"
 - ".ruby-version"
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -218,6 +222,7 @@ files:
 - bin/depspy
 - bin/setup
 - dependency_spy.gemspec
+- example.depspy.yml
 - examples/Gemfile
 - examples/Gemfile.lock
 - examples/npm-shrinkwrap.json
@@ -229,6 +234,7 @@ files:
 - lib/dependency_spy/formatters/json.rb
 - lib/dependency_spy/formatters/text.rb
 - lib/dependency_spy/formatters/yaml.rb
+- lib/dependency_spy/helper/config_file.rb
 - lib/dependency_spy/helper/helper.rb
 - lib/dependency_spy/outputs/file.rb
 - lib/dependency_spy/outputs/stdout.rb
@@ -246,7 +252,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.7
+      version: 2.5.5
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -254,7 +260,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Finds known vulnerabilities in your dependencies