dependency_spy 0.4.1 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/ISSUE_TEMPLATE/bug_report.md +32 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +20 -0
- data/CONTRIBUTING.md +60 -0
- data/Gemfile.lock +26 -18
- data/lib/dependency_spy.rb +14 -2
- data/lib/dependency_spy/cli.rb +2 -1
- data/lib/dependency_spy/formatters/json.rb +1 -1
- data/lib/dependency_spy/formatters/text.rb +7 -5
- data/lib/dependency_spy/formatters/yaml.rb +1 -1
- data/lib/dependency_spy/version.rb +1 -1
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
|
4
|
+
data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
|
7
|
+
data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
|
@@ -0,0 +1,32 @@
|
|
1
|
+
---
|
2
|
+
name: Bug report
|
3
|
+
about: Create a report to help us improve
|
4
|
+
title: ''
|
5
|
+
labels: ''
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
**Describe the bug**
|
11
|
+
A clear and concise description of what the bug is.
|
12
|
+
|
13
|
+
**To Reproduce**
|
14
|
+
Steps to reproduce the behavior:
|
15
|
+
1. Go to '...'
|
16
|
+
2. Click on '....'
|
17
|
+
3. Scroll down to '....'
|
18
|
+
4. See error
|
19
|
+
|
20
|
+
**Expected behavior**
|
21
|
+
A clear and concise description of what you expected to happen.
|
22
|
+
|
23
|
+
**Screenshots**
|
24
|
+
If applicable, add screenshots to help explain your problem.
|
25
|
+
|
26
|
+
**Desktop (please complete the following information):**
|
27
|
+
- OS: [e.g. Windows, Linux, Mac]
|
28
|
+
- Ruby Version [e.g. 2.5.5]
|
29
|
+
- Version [e.g. 22]
|
30
|
+
|
31
|
+
**Additional context**
|
32
|
+
Add any other context about the problem here.
|
@@ -0,0 +1,20 @@
|
|
1
|
+
---
|
2
|
+
name: Feature request
|
3
|
+
about: Suggest an idea for this project
|
4
|
+
title: ''
|
5
|
+
labels: ''
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
**Is your feature request related to a problem? Please describe.**
|
11
|
+
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
12
|
+
|
13
|
+
**Describe the solution you'd like**
|
14
|
+
A clear and concise description of what you want to happen.
|
15
|
+
|
16
|
+
**Describe alternatives you've considered**
|
17
|
+
A clear and concise description of any alternative solutions or features you've considered.
|
18
|
+
|
19
|
+
**Additional context**
|
20
|
+
Add any other context or screenshots about the feature request here.
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,60 @@
|
|
1
|
+
## How to contribute to dependency_spy
|
2
|
+
|
3
|
+
### Main rules
|
4
|
+
|
5
|
+
* Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
|
6
|
+
|
7
|
+
* If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
|
8
|
+
|
9
|
+
* Before sending a pull request make sure your code is tested.
|
10
|
+
|
11
|
+
* Before sending a pull request for a feature, be sure to run tests.
|
12
|
+
|
13
|
+
* Use the same coding style as the rest of the codebase.
|
14
|
+
|
15
|
+
* Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
|
16
|
+
|
17
|
+
* After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
|
18
|
+
and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
|
19
|
+
|
20
|
+
### Commit Style
|
21
|
+
|
22
|
+
Writing good commit logs is important. A commit log should describe what changed and why.
|
23
|
+
Follow these guidelines when writing one:
|
24
|
+
|
25
|
+
1. The first line should be 50 characters or less and contain a short
|
26
|
+
description of the change prefixed with the name of the changed
|
27
|
+
subsystem (e.g. "net: add localAddress and localPort to Socket").
|
28
|
+
2. Keep the second line blank.
|
29
|
+
3. Wrap all other lines at 72 columns.
|
30
|
+
|
31
|
+
A good commit log can look something like this:
|
32
|
+
|
33
|
+
```
|
34
|
+
subsystem: explaining the commit in one line
|
35
|
+
|
36
|
+
Body of commit message is a few lines of text, explaining things
|
37
|
+
in more detail, possibly giving some background about the issue
|
38
|
+
being fixed, etc. etc.
|
39
|
+
|
40
|
+
The body of the commit message can be several paragraphs, and
|
41
|
+
please do proper word-wrap and keep columns shorter than about
|
42
|
+
72 characters or so. That way `git log` will show things
|
43
|
+
nicely even when it is indented.
|
44
|
+
```
|
45
|
+
|
46
|
+
### Developer's Certificate of Origin 1.0
|
47
|
+
|
48
|
+
By making a contribution to this project, I certify that:
|
49
|
+
|
50
|
+
* (a) The contribution was created in whole or in part by me and I
|
51
|
+
have the right to submit it under the open source license indicated
|
52
|
+
in the file; or
|
53
|
+
* (b) The contribution is based upon previous work that, to the best
|
54
|
+
of my knowledge, is covered under an appropriate open source license
|
55
|
+
and I have the right under that license to submit that work with
|
56
|
+
modifications, whether created in whole or in part by me, under the
|
57
|
+
same open source license (unless I am permitted to submit under a
|
58
|
+
different license), as indicated in the file; or
|
59
|
+
* (c) The contribution was provided directly to me by some other
|
60
|
+
person who certified (a), (b) or (c) and I have not modified it.
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.5.0)
|
5
5
|
bibliothecary (~> 6.6)
|
6
6
|
colorize (= 0.8.1)
|
7
7
|
semantic_range (~> 2.2)
|
@@ -13,12 +13,14 @@ GEM
|
|
13
13
|
specs:
|
14
14
|
ansi (1.5.0)
|
15
15
|
ast (2.4.0)
|
16
|
-
bibliothecary (6.
|
16
|
+
bibliothecary (6.7.3)
|
17
17
|
commander
|
18
18
|
deb_control
|
19
19
|
librariesio-gem-parser
|
20
20
|
ox (>= 2.8.1)
|
21
21
|
sdl4r
|
22
|
+
strings
|
23
|
+
strings-ansi
|
22
24
|
toml-rb (~> 1.0)
|
23
25
|
typhoeus
|
24
26
|
citrus (3.0.2)
|
@@ -29,21 +31,21 @@ GEM
|
|
29
31
|
highline (~> 2.0.0)
|
30
32
|
deb_control (0.0.1)
|
31
33
|
diff-lcs (1.3)
|
32
|
-
docile (1.3.
|
34
|
+
docile (1.3.2)
|
33
35
|
ethon (0.12.0)
|
34
36
|
ffi (>= 1.3.0)
|
35
37
|
execjs (2.7.0)
|
36
|
-
ffi (1.11.
|
38
|
+
ffi (1.11.1)
|
37
39
|
highline (2.0.2)
|
38
|
-
jaro_winkler (1.5.
|
40
|
+
jaro_winkler (1.5.3)
|
39
41
|
json (2.2.0)
|
40
|
-
kramdown (1.
|
42
|
+
kramdown (2.1.0)
|
41
43
|
librariesio-gem-parser (1.0.0)
|
42
44
|
libv8 (3.16.14.19-x86_64-linux)
|
43
45
|
oga (2.15)
|
44
46
|
ast
|
45
47
|
ruby-ll (~> 2.1)
|
46
|
-
ox (2.
|
48
|
+
ox (2.11.0)
|
47
49
|
parallel (1.17.0)
|
48
50
|
parser (2.6.3.0)
|
49
51
|
ast (~> 2.4.0)
|
@@ -56,16 +58,16 @@ GEM
|
|
56
58
|
rspec-mocks (~> 3.8.0)
|
57
59
|
rspec-collection_matchers (1.1.3)
|
58
60
|
rspec-expectations (>= 2.99.0.beta1)
|
59
|
-
rspec-core (3.8.
|
61
|
+
rspec-core (3.8.2)
|
60
62
|
rspec-support (~> 3.8.0)
|
61
|
-
rspec-expectations (3.8.
|
63
|
+
rspec-expectations (3.8.4)
|
62
64
|
diff-lcs (>= 1.2.0, < 2.0)
|
63
65
|
rspec-support (~> 3.8.0)
|
64
|
-
rspec-mocks (3.8.
|
66
|
+
rspec-mocks (3.8.1)
|
65
67
|
diff-lcs (>= 1.2.0, < 2.0)
|
66
68
|
rspec-support (~> 3.8.0)
|
67
|
-
rspec-support (3.8.
|
68
|
-
rubocop (0.
|
69
|
+
rspec-support (3.8.2)
|
70
|
+
rubocop (0.72.0)
|
69
71
|
jaro_winkler (~> 1.5.1)
|
70
72
|
parallel (~> 1.10)
|
71
73
|
parser (>= 2.6)
|
@@ -77,15 +79,20 @@ GEM
|
|
77
79
|
ruby-ll (2.1.2)
|
78
80
|
ansi
|
79
81
|
ast
|
80
|
-
ruby-progressbar (1.10.
|
82
|
+
ruby-progressbar (1.10.1)
|
81
83
|
sdl4r (0.9.11)
|
82
84
|
semantic_interval (0.1.0)
|
83
85
|
semantic_range (2.2.1)
|
84
|
-
simplecov (0.
|
86
|
+
simplecov (0.17.0)
|
85
87
|
docile (~> 1.1)
|
86
88
|
json (>= 1.8, < 3)
|
87
89
|
simplecov-html (~> 0.10.0)
|
88
90
|
simplecov-html (0.10.2)
|
91
|
+
strings (0.1.5)
|
92
|
+
strings-ansi (~> 0.1)
|
93
|
+
unicode-display_width (~> 1.5)
|
94
|
+
unicode_utils (~> 1.4)
|
95
|
+
strings-ansi (0.1.0)
|
89
96
|
therubyracer (0.12.3)
|
90
97
|
libv8 (~> 3.16.14.15)
|
91
98
|
ref
|
@@ -95,10 +102,11 @@ GEM
|
|
95
102
|
typhoeus (1.3.1)
|
96
103
|
ethon (>= 0.9.0)
|
97
104
|
unicode-display_width (1.6.0)
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
105
|
+
unicode_utils (1.4.0)
|
106
|
+
yavdb (0.5.2)
|
107
|
+
execjs (~> 2.7)
|
108
|
+
json (~> 2.2)
|
109
|
+
kramdown (~> 2.1)
|
102
110
|
oga (~> 2.15)
|
103
111
|
semantic_interval (~> 0.1)
|
104
112
|
therubyracer (~> 0.12)
|
data/lib/dependency_spy.rb
CHANGED
@@ -28,12 +28,20 @@ require_relative 'dependency_spy/semver'
|
|
28
28
|
module DependencySpy
|
29
29
|
class API
|
30
30
|
|
31
|
-
def self.check(
|
31
|
+
def self.check(options)
|
32
|
+
verbose = options[:verbose]
|
33
|
+
path = options[:path] || Dir.pwd
|
34
|
+
files = options[:files]
|
35
|
+
platform = options[:platform]
|
36
|
+
database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
|
37
|
+
offline = options[:offline] || false
|
38
|
+
ignore = options[:ignore] || []
|
39
|
+
|
32
40
|
if !File.exist?(database_path) && offline
|
33
41
|
puts 'No local database found. Cannot obtain database since offline mode is enabled.'
|
34
42
|
exit(10)
|
35
43
|
elsif !offline
|
36
|
-
puts 'Going to update the local vulnerability database.'
|
44
|
+
puts 'Going to update the local vulnerability database.' if verbose
|
37
45
|
YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
38
46
|
end
|
39
47
|
|
@@ -64,9 +72,13 @@ module DependencySpy
|
|
64
72
|
vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
|
65
73
|
unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
|
66
74
|
patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
|
75
|
+
ignored = ignore.include?(vuln.id)
|
67
76
|
|
68
77
|
if unaffected || patched
|
69
78
|
false
|
79
|
+
elsif ignored
|
80
|
+
puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
|
81
|
+
false
|
70
82
|
else
|
71
83
|
vulnerable
|
72
84
|
end
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -49,8 +49,9 @@ module DependencySpy
|
|
49
49
|
method_option('offline', :type => :boolean, :default => false)
|
50
50
|
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
|
51
51
|
method_option('with-color', :type => :boolean, :default => true)
|
52
|
+
method_option('ignore', :aliases => :i, :type => :array, :default => [])
|
52
53
|
def check
|
53
|
-
manifests = API.check(options
|
54
|
+
manifests = API.check(options)
|
54
55
|
|
55
56
|
formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
|
56
57
|
DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
|
@@ -28,13 +28,15 @@ module DependencySpy
|
|
28
28
|
|
29
29
|
package_header = " Vulnerable: #{package.name}/#{package.type}:#{package.version}"
|
30
30
|
package_body = package.vulnerabilities.map do |vuln|
|
31
|
-
|
32
|
-
|
33
|
-
|
31
|
+
body = ''
|
32
|
+
body += " Title: #{vuln.title}\n"
|
33
|
+
body += " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
|
34
|
+
body += " Source: #{vuln.source_url}\n"
|
35
|
+
body += " Identifier: #{vuln.id}\n\n"
|
34
36
|
if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
|
35
|
-
|
37
|
+
body.red
|
36
38
|
else
|
37
|
-
|
39
|
+
body
|
38
40
|
end
|
39
41
|
end
|
40
42
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-07-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codacy-coverage
|
@@ -189,11 +189,14 @@ extensions: []
|
|
189
189
|
extra_rdoc_files: []
|
190
190
|
files:
|
191
191
|
- ".circleci/config.yml"
|
192
|
+
- ".github/ISSUE_TEMPLATE/bug_report.md"
|
193
|
+
- ".github/ISSUE_TEMPLATE/feature_request.md"
|
192
194
|
- ".gitignore"
|
193
195
|
- ".rspec"
|
194
196
|
- ".rubocop.yml"
|
195
197
|
- ".ruby-version"
|
196
198
|
- CODE_OF_CONDUCT.md
|
199
|
+
- CONTRIBUTING.md
|
197
200
|
- Gemfile
|
198
201
|
- Gemfile.lock
|
199
202
|
- LICENSE
|