dependency_spy 0.4.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/ISSUE_TEMPLATE/bug_report.md +32 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +20 -0
- data/CONTRIBUTING.md +60 -0
- data/Gemfile.lock +26 -18
- data/lib/dependency_spy.rb +14 -2
- data/lib/dependency_spy/cli.rb +2 -1
- data/lib/dependency_spy/formatters/json.rb +1 -1
- data/lib/dependency_spy/formatters/text.rb +7 -5
- data/lib/dependency_spy/formatters/yaml.rb +1 -1
- data/lib/dependency_spy/version.rb +1 -1
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
|
4
|
+
data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
|
7
|
+
data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
|
@@ -0,0 +1,32 @@
|
|
1
|
+
---
|
2
|
+
name: Bug report
|
3
|
+
about: Create a report to help us improve
|
4
|
+
title: ''
|
5
|
+
labels: ''
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
**Describe the bug**
|
11
|
+
A clear and concise description of what the bug is.
|
12
|
+
|
13
|
+
**To Reproduce**
|
14
|
+
Steps to reproduce the behavior:
|
15
|
+
1. Go to '...'
|
16
|
+
2. Click on '....'
|
17
|
+
3. Scroll down to '....'
|
18
|
+
4. See error
|
19
|
+
|
20
|
+
**Expected behavior**
|
21
|
+
A clear and concise description of what you expected to happen.
|
22
|
+
|
23
|
+
**Screenshots**
|
24
|
+
If applicable, add screenshots to help explain your problem.
|
25
|
+
|
26
|
+
**Desktop (please complete the following information):**
|
27
|
+
- OS: [e.g. Windows, Linux, Mac]
|
28
|
+
- Ruby Version [e.g. 2.5.5]
|
29
|
+
- Version [e.g. 22]
|
30
|
+
|
31
|
+
**Additional context**
|
32
|
+
Add any other context about the problem here.
|
@@ -0,0 +1,20 @@
|
|
1
|
+
---
|
2
|
+
name: Feature request
|
3
|
+
about: Suggest an idea for this project
|
4
|
+
title: ''
|
5
|
+
labels: ''
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
**Is your feature request related to a problem? Please describe.**
|
11
|
+
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
12
|
+
|
13
|
+
**Describe the solution you'd like**
|
14
|
+
A clear and concise description of what you want to happen.
|
15
|
+
|
16
|
+
**Describe alternatives you've considered**
|
17
|
+
A clear and concise description of any alternative solutions or features you've considered.
|
18
|
+
|
19
|
+
**Additional context**
|
20
|
+
Add any other context or screenshots about the feature request here.
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,60 @@
|
|
1
|
+
## How to contribute to dependency_spy
|
2
|
+
|
3
|
+
### Main rules
|
4
|
+
|
5
|
+
* Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
|
6
|
+
|
7
|
+
* If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
|
8
|
+
|
9
|
+
* Before sending a pull request make sure your code is tested.
|
10
|
+
|
11
|
+
* Before sending a pull request for a feature, be sure to run tests.
|
12
|
+
|
13
|
+
* Use the same coding style as the rest of the codebase.
|
14
|
+
|
15
|
+
* Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
|
16
|
+
|
17
|
+
* After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
|
18
|
+
and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
|
19
|
+
|
20
|
+
### Commit Style
|
21
|
+
|
22
|
+
Writing good commit logs is important. A commit log should describe what changed and why.
|
23
|
+
Follow these guidelines when writing one:
|
24
|
+
|
25
|
+
1. The first line should be 50 characters or less and contain a short
|
26
|
+
description of the change prefixed with the name of the changed
|
27
|
+
subsystem (e.g. "net: add localAddress and localPort to Socket").
|
28
|
+
2. Keep the second line blank.
|
29
|
+
3. Wrap all other lines at 72 columns.
|
30
|
+
|
31
|
+
A good commit log can look something like this:
|
32
|
+
|
33
|
+
```
|
34
|
+
subsystem: explaining the commit in one line
|
35
|
+
|
36
|
+
Body of commit message is a few lines of text, explaining things
|
37
|
+
in more detail, possibly giving some background about the issue
|
38
|
+
being fixed, etc. etc.
|
39
|
+
|
40
|
+
The body of the commit message can be several paragraphs, and
|
41
|
+
please do proper word-wrap and keep columns shorter than about
|
42
|
+
72 characters or so. That way `git log` will show things
|
43
|
+
nicely even when it is indented.
|
44
|
+
```
|
45
|
+
|
46
|
+
### Developer's Certificate of Origin 1.0
|
47
|
+
|
48
|
+
By making a contribution to this project, I certify that:
|
49
|
+
|
50
|
+
* (a) The contribution was created in whole or in part by me and I
|
51
|
+
have the right to submit it under the open source license indicated
|
52
|
+
in the file; or
|
53
|
+
* (b) The contribution is based upon previous work that, to the best
|
54
|
+
of my knowledge, is covered under an appropriate open source license
|
55
|
+
and I have the right under that license to submit that work with
|
56
|
+
modifications, whether created in whole or in part by me, under the
|
57
|
+
same open source license (unless I am permitted to submit under a
|
58
|
+
different license), as indicated in the file; or
|
59
|
+
* (c) The contribution was provided directly to me by some other
|
60
|
+
person who certified (a), (b) or (c) and I have not modified it.
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.5.0)
|
5
5
|
bibliothecary (~> 6.6)
|
6
6
|
colorize (= 0.8.1)
|
7
7
|
semantic_range (~> 2.2)
|
@@ -13,12 +13,14 @@ GEM
|
|
13
13
|
specs:
|
14
14
|
ansi (1.5.0)
|
15
15
|
ast (2.4.0)
|
16
|
-
bibliothecary (6.
|
16
|
+
bibliothecary (6.7.3)
|
17
17
|
commander
|
18
18
|
deb_control
|
19
19
|
librariesio-gem-parser
|
20
20
|
ox (>= 2.8.1)
|
21
21
|
sdl4r
|
22
|
+
strings
|
23
|
+
strings-ansi
|
22
24
|
toml-rb (~> 1.0)
|
23
25
|
typhoeus
|
24
26
|
citrus (3.0.2)
|
@@ -29,21 +31,21 @@ GEM
|
|
29
31
|
highline (~> 2.0.0)
|
30
32
|
deb_control (0.0.1)
|
31
33
|
diff-lcs (1.3)
|
32
|
-
docile (1.3.
|
34
|
+
docile (1.3.2)
|
33
35
|
ethon (0.12.0)
|
34
36
|
ffi (>= 1.3.0)
|
35
37
|
execjs (2.7.0)
|
36
|
-
ffi (1.11.
|
38
|
+
ffi (1.11.1)
|
37
39
|
highline (2.0.2)
|
38
|
-
jaro_winkler (1.5.
|
40
|
+
jaro_winkler (1.5.3)
|
39
41
|
json (2.2.0)
|
40
|
-
kramdown (1.
|
42
|
+
kramdown (2.1.0)
|
41
43
|
librariesio-gem-parser (1.0.0)
|
42
44
|
libv8 (3.16.14.19-x86_64-linux)
|
43
45
|
oga (2.15)
|
44
46
|
ast
|
45
47
|
ruby-ll (~> 2.1)
|
46
|
-
ox (2.
|
48
|
+
ox (2.11.0)
|
47
49
|
parallel (1.17.0)
|
48
50
|
parser (2.6.3.0)
|
49
51
|
ast (~> 2.4.0)
|
@@ -56,16 +58,16 @@ GEM
|
|
56
58
|
rspec-mocks (~> 3.8.0)
|
57
59
|
rspec-collection_matchers (1.1.3)
|
58
60
|
rspec-expectations (>= 2.99.0.beta1)
|
59
|
-
rspec-core (3.8.
|
61
|
+
rspec-core (3.8.2)
|
60
62
|
rspec-support (~> 3.8.0)
|
61
|
-
rspec-expectations (3.8.
|
63
|
+
rspec-expectations (3.8.4)
|
62
64
|
diff-lcs (>= 1.2.0, < 2.0)
|
63
65
|
rspec-support (~> 3.8.0)
|
64
|
-
rspec-mocks (3.8.
|
66
|
+
rspec-mocks (3.8.1)
|
65
67
|
diff-lcs (>= 1.2.0, < 2.0)
|
66
68
|
rspec-support (~> 3.8.0)
|
67
|
-
rspec-support (3.8.
|
68
|
-
rubocop (0.
|
69
|
+
rspec-support (3.8.2)
|
70
|
+
rubocop (0.72.0)
|
69
71
|
jaro_winkler (~> 1.5.1)
|
70
72
|
parallel (~> 1.10)
|
71
73
|
parser (>= 2.6)
|
@@ -77,15 +79,20 @@ GEM
|
|
77
79
|
ruby-ll (2.1.2)
|
78
80
|
ansi
|
79
81
|
ast
|
80
|
-
ruby-progressbar (1.10.
|
82
|
+
ruby-progressbar (1.10.1)
|
81
83
|
sdl4r (0.9.11)
|
82
84
|
semantic_interval (0.1.0)
|
83
85
|
semantic_range (2.2.1)
|
84
|
-
simplecov (0.
|
86
|
+
simplecov (0.17.0)
|
85
87
|
docile (~> 1.1)
|
86
88
|
json (>= 1.8, < 3)
|
87
89
|
simplecov-html (~> 0.10.0)
|
88
90
|
simplecov-html (0.10.2)
|
91
|
+
strings (0.1.5)
|
92
|
+
strings-ansi (~> 0.1)
|
93
|
+
unicode-display_width (~> 1.5)
|
94
|
+
unicode_utils (~> 1.4)
|
95
|
+
strings-ansi (0.1.0)
|
89
96
|
therubyracer (0.12.3)
|
90
97
|
libv8 (~> 3.16.14.15)
|
91
98
|
ref
|
@@ -95,10 +102,11 @@ GEM
|
|
95
102
|
typhoeus (1.3.1)
|
96
103
|
ethon (>= 0.9.0)
|
97
104
|
unicode-display_width (1.6.0)
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
105
|
+
unicode_utils (1.4.0)
|
106
|
+
yavdb (0.5.2)
|
107
|
+
execjs (~> 2.7)
|
108
|
+
json (~> 2.2)
|
109
|
+
kramdown (~> 2.1)
|
102
110
|
oga (~> 2.15)
|
103
111
|
semantic_interval (~> 0.1)
|
104
112
|
therubyracer (~> 0.12)
|
data/lib/dependency_spy.rb
CHANGED
@@ -28,12 +28,20 @@ require_relative 'dependency_spy/semver'
|
|
28
28
|
module DependencySpy
|
29
29
|
class API
|
30
30
|
|
31
|
-
def self.check(
|
31
|
+
def self.check(options)
|
32
|
+
verbose = options[:verbose]
|
33
|
+
path = options[:path] || Dir.pwd
|
34
|
+
files = options[:files]
|
35
|
+
platform = options[:platform]
|
36
|
+
database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
|
37
|
+
offline = options[:offline] || false
|
38
|
+
ignore = options[:ignore] || []
|
39
|
+
|
32
40
|
if !File.exist?(database_path) && offline
|
33
41
|
puts 'No local database found. Cannot obtain database since offline mode is enabled.'
|
34
42
|
exit(10)
|
35
43
|
elsif !offline
|
36
|
-
puts 'Going to update the local vulnerability database.'
|
44
|
+
puts 'Going to update the local vulnerability database.' if verbose
|
37
45
|
YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
38
46
|
end
|
39
47
|
|
@@ -64,9 +72,13 @@ module DependencySpy
|
|
64
72
|
vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
|
65
73
|
unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
|
66
74
|
patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
|
75
|
+
ignored = ignore.include?(vuln.id)
|
67
76
|
|
68
77
|
if unaffected || patched
|
69
78
|
false
|
79
|
+
elsif ignored
|
80
|
+
puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
|
81
|
+
false
|
70
82
|
else
|
71
83
|
vulnerable
|
72
84
|
end
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -49,8 +49,9 @@ module DependencySpy
|
|
49
49
|
method_option('offline', :type => :boolean, :default => false)
|
50
50
|
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
|
51
51
|
method_option('with-color', :type => :boolean, :default => true)
|
52
|
+
method_option('ignore', :aliases => :i, :type => :array, :default => [])
|
52
53
|
def check
|
53
|
-
manifests = API.check(options
|
54
|
+
manifests = API.check(options)
|
54
55
|
|
55
56
|
formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
|
56
57
|
DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
|
@@ -28,13 +28,15 @@ module DependencySpy
|
|
28
28
|
|
29
29
|
package_header = " Vulnerable: #{package.name}/#{package.type}:#{package.version}"
|
30
30
|
package_body = package.vulnerabilities.map do |vuln|
|
31
|
-
|
32
|
-
|
33
|
-
|
31
|
+
body = ''
|
32
|
+
body += " Title: #{vuln.title}\n"
|
33
|
+
body += " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
|
34
|
+
body += " Source: #{vuln.source_url}\n"
|
35
|
+
body += " Identifier: #{vuln.id}\n\n"
|
34
36
|
if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
|
35
|
-
|
37
|
+
body.red
|
36
38
|
else
|
37
|
-
|
39
|
+
body
|
38
40
|
end
|
39
41
|
end
|
40
42
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-07-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codacy-coverage
|
@@ -189,11 +189,14 @@ extensions: []
|
|
189
189
|
extra_rdoc_files: []
|
190
190
|
files:
|
191
191
|
- ".circleci/config.yml"
|
192
|
+
- ".github/ISSUE_TEMPLATE/bug_report.md"
|
193
|
+
- ".github/ISSUE_TEMPLATE/feature_request.md"
|
192
194
|
- ".gitignore"
|
193
195
|
- ".rspec"
|
194
196
|
- ".rubocop.yml"
|
195
197
|
- ".ruby-version"
|
196
198
|
- CODE_OF_CONDUCT.md
|
199
|
+
- CONTRIBUTING.md
|
197
200
|
- Gemfile
|
198
201
|
- Gemfile.lock
|
199
202
|
- LICENSE
|