dependency_spy 0.4.1 → 0.5.0

This diff has not been reviewed by any users.
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd76c3bfcbdcc405ea294b2005b889bb58ec929743debec07993c7779d564d98
4
- data.tar.gz: 9ce10481a76d8dbb4381a3acacf76ece5dbfc0e1d9b82bece3dbef121ce1db2f
3
+ metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
4
+ data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
5
5
  SHA512:
6
- metadata.gz: bf1d350bbbe04a198ae7623b93bfbc8f03efa912a4d81de2025fdb434a6fd5ba2a3dd0b3faf0b23f5070b5d05b7d4d8612ae0fe48229a884712111be6a62784d
7
- data.tar.gz: 791adfff9cfc910ddd0fdf78bbf96d65c55e93c6f4b51fd8a947cc3eedac0fbe76e8462b72f1314df151aa44999bee5b4b5117dc44bcc09111c3cdfa915557a5
6
+ metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
7
+ data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
@@ -0,0 +1,32 @@
1
+ ---
2
+ name: Bug report
3
+ about: Create a report to help us improve
4
+ title: ''
5
+ labels: ''
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ **Describe the bug**
11
+ A clear and concise description of what the bug is.
12
+
13
+ **To Reproduce**
14
+ Steps to reproduce the behavior:
15
+ 1. Go to '...'
16
+ 2. Click on '....'
17
+ 3. Scroll down to '....'
18
+ 4. See error
19
+
20
+ **Expected behavior**
21
+ A clear and concise description of what you expected to happen.
22
+
23
+ **Screenshots**
24
+ If applicable, add screenshots to help explain your problem.
25
+
26
+ **Desktop (please complete the following information):**
27
+ - OS: [e.g. Windows, Linux, Mac]
28
+ - Ruby Version [e.g. 2.5.5]
29
+ - Version [e.g. 22]
30
+
31
+ **Additional context**
32
+ Add any other context about the problem here.
@@ -0,0 +1,20 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an idea for this project
4
+ title: ''
5
+ labels: ''
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ **Is your feature request related to a problem? Please describe.**
11
+ A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12
+
13
+ **Describe the solution you'd like**
14
+ A clear and concise description of what you want to happen.
15
+
16
+ **Describe alternatives you've considered**
17
+ A clear and concise description of any alternative solutions or features you've considered.
18
+
19
+ **Additional context**
20
+ Add any other context or screenshots about the feature request here.
@@ -0,0 +1,60 @@
1
+ ## How to contribute to dependency_spy
2
+
3
+ ### Main rules
4
+
5
+ * Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
6
+
7
+ * If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
8
+
9
+ * Before sending a pull request make sure your code is tested.
10
+
11
+ * Before sending a pull request for a feature, be sure to run tests.
12
+
13
+ * Use the same coding style as the rest of the codebase.
14
+
15
+ * Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
16
+
17
+ * After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
18
+ and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
19
+
20
+ ### Commit Style
21
+
22
+ Writing good commit logs is important. A commit log should describe what changed and why.
23
+ Follow these guidelines when writing one:
24
+
25
+ 1. The first line should be 50 characters or less and contain a short
26
+ description of the change prefixed with the name of the changed
27
+ subsystem (e.g. "net: add localAddress and localPort to Socket").
28
+ 2. Keep the second line blank.
29
+ 3. Wrap all other lines at 72 columns.
30
+
31
+ A good commit log can look something like this:
32
+
33
+ ```
34
+ subsystem: explaining the commit in one line
35
+
36
+ Body of commit message is a few lines of text, explaining things
37
+ in more detail, possibly giving some background about the issue
38
+ being fixed, etc. etc.
39
+
40
+ The body of the commit message can be several paragraphs, and
41
+ please do proper word-wrap and keep columns shorter than about
42
+ 72 characters or so. That way `git log` will show things
43
+ nicely even when it is indented.
44
+ ```
45
+
46
+ ### Developer's Certificate of Origin 1.0
47
+
48
+ By making a contribution to this project, I certify that:
49
+
50
+ * (a) The contribution was created in whole or in part by me and I
51
+ have the right to submit it under the open source license indicated
52
+ in the file; or
53
+ * (b) The contribution is based upon previous work that, to the best
54
+ of my knowledge, is covered under an appropriate open source license
55
+ and I have the right under that license to submit that work with
56
+ modifications, whether created in whole or in part by me, under the
57
+ same open source license (unless I am permitted to submit under a
58
+ different license), as indicated in the file; or
59
+ * (c) The contribution was provided directly to me by some other
60
+ person who certified (a), (b) or (c) and I have not modified it.
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dependency_spy (0.4.1)
4
+ dependency_spy (0.5.0)
5
5
  bibliothecary (~> 6.6)
6
6
  colorize (= 0.8.1)
7
7
  semantic_range (~> 2.2)
@@ -13,12 +13,14 @@ GEM
13
13
  specs:
14
14
  ansi (1.5.0)
15
15
  ast (2.4.0)
16
- bibliothecary (6.6.0)
16
+ bibliothecary (6.7.3)
17
17
  commander
18
18
  deb_control
19
19
  librariesio-gem-parser
20
20
  ox (>= 2.8.1)
21
21
  sdl4r
22
+ strings
23
+ strings-ansi
22
24
  toml-rb (~> 1.0)
23
25
  typhoeus
24
26
  citrus (3.0.2)
@@ -29,21 +31,21 @@ GEM
29
31
  highline (~> 2.0.0)
30
32
  deb_control (0.0.1)
31
33
  diff-lcs (1.3)
32
- docile (1.3.1)
34
+ docile (1.3.2)
33
35
  ethon (0.12.0)
34
36
  ffi (>= 1.3.0)
35
37
  execjs (2.7.0)
36
- ffi (1.11.0)
38
+ ffi (1.11.1)
37
39
  highline (2.0.2)
38
- jaro_winkler (1.5.2)
40
+ jaro_winkler (1.5.3)
39
41
  json (2.2.0)
40
- kramdown (1.17.0)
42
+ kramdown (2.1.0)
41
43
  librariesio-gem-parser (1.0.0)
42
44
  libv8 (3.16.14.19-x86_64-linux)
43
45
  oga (2.15)
44
46
  ast
45
47
  ruby-ll (~> 2.1)
46
- ox (2.10.0)
48
+ ox (2.11.0)
47
49
  parallel (1.17.0)
48
50
  parser (2.6.3.0)
49
51
  ast (~> 2.4.0)
@@ -56,16 +58,16 @@ GEM
56
58
  rspec-mocks (~> 3.8.0)
57
59
  rspec-collection_matchers (1.1.3)
58
60
  rspec-expectations (>= 2.99.0.beta1)
59
- rspec-core (3.8.0)
61
+ rspec-core (3.8.2)
60
62
  rspec-support (~> 3.8.0)
61
- rspec-expectations (3.8.3)
63
+ rspec-expectations (3.8.4)
62
64
  diff-lcs (>= 1.2.0, < 2.0)
63
65
  rspec-support (~> 3.8.0)
64
- rspec-mocks (3.8.0)
66
+ rspec-mocks (3.8.1)
65
67
  diff-lcs (>= 1.2.0, < 2.0)
66
68
  rspec-support (~> 3.8.0)
67
- rspec-support (3.8.0)
68
- rubocop (0.69.0)
69
+ rspec-support (3.8.2)
70
+ rubocop (0.72.0)
69
71
  jaro_winkler (~> 1.5.1)
70
72
  parallel (~> 1.10)
71
73
  parser (>= 2.6)
@@ -77,15 +79,20 @@ GEM
77
79
  ruby-ll (2.1.2)
78
80
  ansi
79
81
  ast
80
- ruby-progressbar (1.10.0)
82
+ ruby-progressbar (1.10.1)
81
83
  sdl4r (0.9.11)
82
84
  semantic_interval (0.1.0)
83
85
  semantic_range (2.2.1)
84
- simplecov (0.16.1)
86
+ simplecov (0.17.0)
85
87
  docile (~> 1.1)
86
88
  json (>= 1.8, < 3)
87
89
  simplecov-html (~> 0.10.0)
88
90
  simplecov-html (0.10.2)
91
+ strings (0.1.5)
92
+ strings-ansi (~> 0.1)
93
+ unicode-display_width (~> 1.5)
94
+ unicode_utils (~> 1.4)
95
+ strings-ansi (0.1.0)
89
96
  therubyracer (0.12.3)
90
97
  libv8 (~> 3.16.14.15)
91
98
  ref
@@ -95,10 +102,11 @@ GEM
95
102
  typhoeus (1.3.1)
96
103
  ethon (>= 0.9.0)
97
104
  unicode-display_width (1.6.0)
98
- yavdb (0.5.1)
99
- execjs (~> 2.7.0)
100
- json (~> 2.1)
101
- kramdown (~> 1.17)
105
+ unicode_utils (1.4.0)
106
+ yavdb (0.5.2)
107
+ execjs (~> 2.7)
108
+ json (~> 2.2)
109
+ kramdown (~> 2.1)
102
110
  oga (~> 2.15)
103
111
  semantic_interval (~> 0.1)
104
112
  therubyracer (~> 0.12)
@@ -28,12 +28,20 @@ require_relative 'dependency_spy/semver'
28
28
  module DependencySpy
29
29
  class API
30
30
 
31
- def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false)
31
+ def self.check(options)
32
+ verbose = options[:verbose]
33
+ path = options[:path] || Dir.pwd
34
+ files = options[:files]
35
+ platform = options[:platform]
36
+ database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
37
+ offline = options[:offline] || false
38
+ ignore = options[:ignore] || []
39
+
32
40
  if !File.exist?(database_path) && offline
33
41
  puts 'No local database found. Cannot obtain database since offline mode is enabled.'
34
42
  exit(10)
35
43
  elsif !offline
36
- puts 'Going to update the local vulnerability database.'
44
+ puts 'Going to update the local vulnerability database.' if verbose
37
45
  YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
38
46
  end
39
47
 
@@ -64,9 +72,13 @@ module DependencySpy
64
72
  vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
65
73
  unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
66
74
  patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
75
+ ignored = ignore.include?(vuln.id)
67
76
 
68
77
  if unaffected || patched
69
78
  false
79
+ elsif ignored
80
+ puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
81
+ false
70
82
  else
71
83
  vulnerable
72
84
  end
@@ -49,8 +49,9 @@ module DependencySpy
49
49
  method_option('offline', :type => :boolean, :default => false)
50
50
  method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
51
51
  method_option('with-color', :type => :boolean, :default => true)
52
+ method_option('ignore', :aliases => :i, :type => :array, :default => [])
52
53
  def check
53
- manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
54
+ manifests = API.check(options)
54
55
 
55
56
  formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
56
57
  DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
@@ -29,7 +29,7 @@ module DependencySpy
29
29
 
30
30
  filtered_manifests
31
31
  .reject { |m| m[:dependencies].nil? }
32
- .map(&:to_json)
32
+ .to_json
33
33
  end
34
34
 
35
35
  end
@@ -28,13 +28,15 @@ module DependencySpy
28
28
 
29
29
  package_header = " Vulnerable: #{package.name}/#{package.type}:#{package.version}"
30
30
  package_body = package.vulnerabilities.map do |vuln|
31
- first = " Title: #{vuln.title}\n"
32
- second = " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
33
- third = " Source: #{vuln.source_url}\n\n"
31
+ body = ''
32
+ body += " Title: #{vuln.title}\n"
33
+ body += " Severity: #{(vuln.severity || 'unknown').capitalize}\n"
34
+ body += " Source: #{vuln.source_url}\n"
35
+ body += " Identifier: #{vuln.id}\n\n"
34
36
  if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
35
- "#{first}#{second}#{third}".red
37
+ body.red
36
38
  else
37
- "#{first}#{second}#{third}"
39
+ body
38
40
  end
39
41
  end
40
42
 
@@ -29,7 +29,7 @@ module DependencySpy
29
29
 
30
30
  filtered_manifests
31
31
  .reject { |m| m[:dependencies].nil? }
32
- .map(&:to_json)
32
+ .to_yaml
33
33
  end
34
34
 
35
35
  end
@@ -16,6 +16,6 @@
16
16
 
17
17
  module DependencySpy
18
18
 
19
- VERSION = '0.4.1'
19
+ VERSION = '0.5.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependency_spy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-05-17 00:00:00.000000000 Z
11
+ date: 2019-07-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: codacy-coverage
@@ -189,11 +189,14 @@ extensions: []
189
189
  extra_rdoc_files: []
190
190
  files:
191
191
  - ".circleci/config.yml"
192
+ - ".github/ISSUE_TEMPLATE/bug_report.md"
193
+ - ".github/ISSUE_TEMPLATE/feature_request.md"
192
194
  - ".gitignore"
193
195
  - ".rspec"
194
196
  - ".rubocop.yml"
195
197
  - ".ruby-version"
196
198
  - CODE_OF_CONDUCT.md
199
+ - CONTRIBUTING.md
197
200
  - Gemfile
198
201
  - Gemfile.lock
199
202
  - LICENSE