dependency_spy 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd76c3bfcbdcc405ea294b2005b889bb58ec929743debec07993c7779d564d98
4
- data.tar.gz: 9ce10481a76d8dbb4381a3acacf76ece5dbfc0e1d9b82bece3dbef121ce1db2f
3
+ metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
4
+ data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
5
5
  SHA512:
6
- metadata.gz: bf1d350bbbe04a198ae7623b93bfbc8f03efa912a4d81de2025fdb434a6fd5ba2a3dd0b3faf0b23f5070b5d05b7d4d8612ae0fe48229a884712111be6a62784d
7
- data.tar.gz: 791adfff9cfc910ddd0fdf78bbf96d65c55e93c6f4b51fd8a947cc3eedac0fbe76e8462b72f1314df151aa44999bee5b4b5117dc44bcc09111c3cdfa915557a5
6
+ metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
7
+ data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
@@ -0,0 +1,32 @@
1
+ ---
2
+ name: Bug report
3
+ about: Create a report to help us improve
4
+ title: ''
5
+ labels: ''
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ **Describe the bug**
11
+ A clear and concise description of what the bug is.
12
+
13
+ **To Reproduce**
14
+ Steps to reproduce the behavior:
15
+ 1. Go to '...'
16
+ 2. Click on '....'
17
+ 3. Scroll down to '....'
18
+ 4. See error
19
+
20
+ **Expected behavior**
21
+ A clear and concise description of what you expected to happen.
22
+
23
+ **Screenshots**
24
+ If applicable, add screenshots to help explain your problem.
25
+
26
+ **Desktop (please complete the following information):**
27
+ - OS: [e.g. Windows, Linux, Mac]
28
+ - Ruby Version [e.g. 2.5.5]
29
+ - Version [e.g. 22]
30
+
31
+ **Additional context**
32
+ Add any other context about the problem here.
@@ -0,0 +1,20 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an idea for this project
4
+ title: ''
5
+ labels: ''
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ **Is your feature request related to a problem? Please describe.**
11
+ A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12
+
13
+ **Describe the solution you'd like**
14
+ A clear and concise description of what you want to happen.
15
+
16
+ **Describe alternatives you've considered**
17
+ A clear and concise description of any alternative solutions or features you've considered.
18
+
19
+ **Additional context**
20
+ Add any other context or screenshots about the feature request here.
@@ -0,0 +1,60 @@
1
+ ## How to contribute to dependency_spy
2
+
3
+ ### Main rules
4
+
5
+ * Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
6
+
7
+ * If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
8
+
9
+ * Before sending a pull request make sure your code is tested.
10
+
11
+ * Before sending a pull request for a feature, be sure to run tests.
12
+
13
+ * Use the same coding style as the rest of the codebase.
14
+
15
+ * Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
16
+
17
+ * After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
18
+ and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
19
+
20
+ ### Commit Style
21
+
22
+ Writing good commit logs is important. A commit log should describe what changed and why.
23
+ Follow these guidelines when writing one:
24
+
25
+ 1. The first line should be 50 characters or less and contain a short
26
+ description of the change prefixed with the name of the changed
27
+ subsystem (e.g. "net: add localAddress and localPort to Socket").
28
+ 2. Keep the second line blank.
29
+ 3. Wrap all other lines at 72 columns.
30
+
31
+ A good commit log can look something like this:
32
+
33
+ ```
34
+ subsystem: explaining the commit in one line
35
+
36
+ Body of commit message is a few lines of text, explaining things
37
+ in more detail, possibly giving some background about the issue
38
+ being fixed, etc. etc.
39
+
40
+ The body of the commit message can be several paragraphs, and
41
+ please do proper word-wrap and keep columns shorter than about
42
+ 72 characters or so. That way `git log` will show things
43
+ nicely even when it is indented.
44
+ ```
45
+
46
+ ### Developer's Certificate of Origin 1.0
47
+
48
+ By making a contribution to this project, I certify that:
49
+
50
+ * (a) The contribution was created in whole or in part by me and I
51
+ have the right to submit it under the open source license indicated
52
+ in the file; or
53
+ * (b) The contribution is based upon previous work that, to the best
54
+ of my knowledge, is covered under an appropriate open source license
55
+ and I have the right under that license to submit that work with
56
+ modifications, whether created in whole or in part by me, under the
57
+ same open source license (unless I am permitted to submit under a
58
+ different license), as indicated in the file; or
59
+ * (c) The contribution was provided directly to me by some other
60
+ person who certified (a), (b) or (c) and I have not modified it.
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dependency_spy (0.4.1)
4
+ dependency_spy (0.5.0)
5
5
  bibliothecary (~> 6.6)
6
6
  colorize (= 0.8.1)
7
7
  semantic_range (~> 2.2)
@@ -13,12 +13,14 @@ GEM
13
13
  specs:
14
14
  ansi (1.5.0)
15
15
  ast (2.4.0)
16
- bibliothecary (6.6.0)
16
+ bibliothecary (6.7.3)
17
17
  commander
18
18
  deb_control
19
19
  librariesio-gem-parser
20
20
  ox (>= 2.8.1)
21
21
  sdl4r
22
+ strings
23
+ strings-ansi
22
24
  toml-rb (~> 1.0)
23
25
  typhoeus
24
26
  citrus (3.0.2)
@@ -29,21 +31,21 @@ GEM
29
31
  highline (~> 2.0.0)
30
32
  deb_control (0.0.1)
31
33
  diff-lcs (1.3)
32
- docile (1.3.1)
34
+ docile (1.3.2)
33
35
  ethon (0.12.0)
34
36
  ffi (>= 1.3.0)
35
37
  execjs (2.7.0)
36
- ffi (1.11.0)
38
+ ffi (1.11.1)
37
39
  highline (2.0.2)
38
- jaro_winkler (1.5.2)
40
+ jaro_winkler (1.5.3)
39
41
  json (2.2.0)
40
- kramdown (1.17.0)
42
+ kramdown (2.1.0)
41
43
  librariesio-gem-parser (1.0.0)
42
44
  libv8 (3.16.14.19-x86_64-linux)
43
45
  oga (2.15)
44
46
  ast
45
47
  ruby-ll (~> 2.1)
46
- ox (2.10.0)
48
+ ox (2.11.0)
47
49
  parallel (1.17.0)
48
50
  parser (2.6.3.0)
49
51
  ast (~> 2.4.0)
@@ -56,16 +58,16 @@ GEM
56
58
  rspec-mocks (~> 3.8.0)
57
59
  rspec-collection_matchers (1.1.3)
58
60
  rspec-expectations (>= 2.99.0.beta1)
59
- rspec-core (3.8.0)
61
+ rspec-core (3.8.2)
60
62
  rspec-support (~> 3.8.0)
61
- rspec-expectations (3.8.3)
63
+ rspec-expectations (3.8.4)
62
64
  diff-lcs (>= 1.2.0, < 2.0)
63
65
  rspec-support (~> 3.8.0)
64
- rspec-mocks (3.8.0)
66
+ rspec-mocks (3.8.1)
65
67
  diff-lcs (>= 1.2.0, < 2.0)
66
68
  rspec-support (~> 3.8.0)
67
- rspec-support (3.8.0)
68
- rubocop (0.69.0)
69
+ rspec-support (3.8.2)
70
+ rubocop (0.72.0)
69
71
  jaro_winkler (~> 1.5.1)
70
72
  parallel (~> 1.10)
71
73
  parser (>= 2.6)
@@ -77,15 +79,20 @@ GEM
77
79
  ruby-ll (2.1.2)
78
80
  ansi
79
81
  ast
80
- ruby-progressbar (1.10.0)
82
+ ruby-progressbar (1.10.1)
81
83
  sdl4r (0.9.11)
82
84
  semantic_interval (0.1.0)
83
85
  semantic_range (2.2.1)
84
- simplecov (0.16.1)
86
+ simplecov (0.17.0)
85
87
  docile (~> 1.1)
86
88
  json (>= 1.8, < 3)
87
89
  simplecov-html (~> 0.10.0)
88
90
  simplecov-html (0.10.2)
91
+ strings (0.1.5)
92
+ strings-ansi (~> 0.1)
93
+ unicode-display_width (~> 1.5)
94
+ unicode_utils (~> 1.4)
95
+ strings-ansi (0.1.0)
89
96
  therubyracer (0.12.3)
90
97
  libv8 (~> 3.16.14.15)
91
98
  ref
@@ -95,10 +102,11 @@ GEM
95
102
  typhoeus (1.3.1)
96
103
  ethon (>= 0.9.0)
97
104
  unicode-display_width (1.6.0)
98
- yavdb (0.5.1)
99
- execjs (~> 2.7.0)
100
- json (~> 2.1)
101
- kramdown (~> 1.17)
105
+ unicode_utils (1.4.0)
106
+ yavdb (0.5.2)
107
+ execjs (~> 2.7)
108
+ json (~> 2.2)
109
+ kramdown (~> 2.1)
102
110
  oga (~> 2.15)
103
111
  semantic_interval (~> 0.1)
104
112
  therubyracer (~> 0.12)
@@ -28,12 +28,20 @@ require_relative 'dependency_spy/semver'
28
28
  module DependencySpy
29
29
  class API
30
30
 
31
- def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false)
31
+ def self.check(options)
32
+ verbose = options[:verbose]
33
+ path = options[:path] || Dir.pwd
34
+ files = options[:files]
35
+ platform = options[:platform]
36
+ database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
37
+ offline = options[:offline] || false
38
+ ignore = options[:ignore] || []
39
+
32
40
  if !File.exist?(database_path) && offline
33
41
  puts 'No local database found. Cannot obtain database since offline mode is enabled.'
34
42
  exit(10)
35
43
  elsif !offline
36
- puts 'Going to update the local vulnerability database.'
44
+ puts 'Going to update the local vulnerability database.' if verbose
37
45
  YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
38
46
  end
39
47
 
@@ -64,9 +72,13 @@ module DependencySpy
64
72
  vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
65
73
  unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
66
74
  patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
75
+ ignored = ignore.include?(vuln.id)
67
76
 
68
77
  if unaffected || patched
69
78
  false
79
+ elsif ignored
80
+ puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
81
+ false
70
82
  else
71
83
  vulnerable
72
84
  end
@@ -49,8 +49,9 @@ module DependencySpy
49
49
  method_option('offline', :type => :boolean, :default => false)
50
50
  method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
51
51
  method_option('with-color', :type => :boolean, :default => true)
52
+ method_option('ignore', :aliases => :i, :type => :array, :default => [])
52
53
  def check
53
- manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
54
+ manifests = API.check(options)
54
55
 
55
56
  formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
56
57
  DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
@@ -29,7 +29,7 @@ module DependencySpy
29
29
 
30
30
  filtered_manifests
31
31
  .reject { |m| m[:dependencies].nil? }
32
- .map(&:to_json)
32
+ .to_json
33
33
  end
34
34
 
35
35
  end
@@ -28,13 +28,15 @@ module DependencySpy
28
28
 
29
29
  package_header = " Vulnerable: #{package.name}/#{package.type}:#{package.version}"
30
30
  package_body = package.vulnerabilities.map do |vuln|
31
- first = " Title: #{vuln.title}\n"
32
- second = " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
33
- third = " Source: #{vuln.source_url}\n\n"
31
+ body = ''
32
+ body += " Title: #{vuln.title}\n"
33
+ body += " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
34
+ body += " Source: #{vuln.source_url}\n"
35
+ body += " Identifier: #{vuln.id}\n\n"
34
36
  if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
35
- "#{first}#{second}#{third}".red
37
+ body.red
36
38
  else
37
- "#{first}#{second}#{third}"
39
+ body
38
40
  end
39
41
  end
40
42
 
@@ -29,7 +29,7 @@ module DependencySpy
29
29
 
30
30
  filtered_manifests
31
31
  .reject { |m| m[:dependencies].nil? }
32
- .map(&:to_json)
32
+ .to_yaml
33
33
  end
34
34
 
35
35
  end
@@ -16,6 +16,6 @@
16
16
 
17
17
  module DependencySpy
18
18
 
19
- VERSION = '0.4.1'
19
+ VERSION = '0.5.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependency_spy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-05-17 00:00:00.000000000 Z
11
+ date: 2019-07-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: codacy-coverage
@@ -189,11 +189,14 @@ extensions: []
189
189
  extra_rdoc_files: []
190
190
  files:
191
191
  - ".circleci/config.yml"
192
+ - ".github/ISSUE_TEMPLATE/bug_report.md"
193
+ - ".github/ISSUE_TEMPLATE/feature_request.md"
192
194
  - ".gitignore"
193
195
  - ".rspec"
194
196
  - ".rubocop.yml"
195
197
  - ".ruby-version"
196
198
  - CODE_OF_CONDUCT.md
199
+ - CONTRIBUTING.md
197
200
  - Gemfile
198
201
  - Gemfile.lock
199
202
  - LICENSE