dependency_spy 0.4.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd76c3bfcbdcc405ea294b2005b889bb58ec929743debec07993c7779d564d98
-  data.tar.gz: 9ce10481a76d8dbb4381a3acacf76ece5dbfc0e1d9b82bece3dbef121ce1db2f
+  metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
+  data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
 SHA512:
-  metadata.gz: bf1d350bbbe04a198ae7623b93bfbc8f03efa912a4d81de2025fdb434a6fd5ba2a3dd0b3faf0b23f5070b5d05b7d4d8612ae0fe48229a884712111be6a62784d
-  data.tar.gz: 791adfff9cfc910ddd0fdf78bbf96d65c55e93c6f4b51fd8a947cc3eedac0fbe76e8462b72f1314df151aa44999bee5b4b5117dc44bcc09111c3cdfa915557a5
+  metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
+  data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. Windows, Linux, Mac]
+ - Ruby Version [e.g. 2.5.5]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

data/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+## How to contribute to dependency_spy
+
+### Main rules
+
+* Before you open a ticket or send a pull request, [search](https://github.com/rtfpessoa/dependency_spy/issues) for previous discussions about the same feature or issue. Add to the earlier ticket if you find one.
+
+* If you're proposing a new feature, make sure you create an issue to let other contributors know what you are working on.
+
+* Before sending a pull request make sure your code is tested.
+
+* Before sending a pull request for a feature, be sure to run tests.
+
+* Use the same coding style as the rest of the codebase.
+
+* Use `git rebase` (not `git merge`) to sync your work from time to time with the master branch.
+
+* After creating your pull request make sure the build is passing on [CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy)
+and that [Codacy](https://www.codacy.com/app/rtfpessoa/dependency_spy) is also confident in the code quality.
+
+### Commit Style
+
+Writing good commit logs is important. A commit log should describe what changed and why.
+Follow these guidelines when writing one:
+
+1. The first line should be 50 characters or less and contain a short
+   description of the change prefixed with the name of the changed
+   subsystem (e.g. "net: add localAddress and localPort to Socket").
+2. Keep the second line blank.
+3. Wrap all other lines at 72 columns.
+
+A good commit log can look something like this:
+
+```
+subsystem: explaining the commit in one line
+
+Body of commit message is a few lines of text, explaining things
+in more detail, possibly giving some background about the issue
+being fixed, etc. etc.
+
+The body of the commit message can be several paragraphs, and
+please do proper word-wrap and keep columns shorter than about
+72 characters or so. That way `git log` will show things
+nicely even when it is indented.
+```
+
+### Developer's Certificate of Origin 1.0
+
+By making a contribution to this project, I certify that:
+
+* (a) The contribution was created in whole or in part by me and I
+  have the right to submit it under the open source license indicated
+  in the file; or
+* (b) The contribution is based upon previous work that, to the best
+  of my knowledge, is covered under an appropriate open source license
+  and I have the right under that license to submit that work with
+  modifications, whether created in whole or in part by me, under the
+  same open source license (unless I am permitted to submit under a
+  different license), as indicated in the file; or
+* (c) The contribution was provided directly to me by some other
+  person who certified (a), (b) or (c) and I have not modified it.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    dependency_spy (0.4.1)
+    dependency_spy (0.5.0)
       bibliothecary (~> 6.6)
       colorize (= 0.8.1)
       semantic_range (~> 2.2)
@@ -13,12 +13,14 @@ GEM
   specs:
     ansi (1.5.0)
     ast (2.4.0)
-    bibliothecary (6.6.0)
+    bibliothecary (6.7.3)
       commander
       deb_control
       librariesio-gem-parser
       ox (>= 2.8.1)
       sdl4r
+      strings
+      strings-ansi
       toml-rb (~> 1.0)
       typhoeus
     citrus (3.0.2)
@@ -29,21 +31,21 @@ GEM
       highline (~> 2.0.0)
     deb_control (0.0.1)
     diff-lcs (1.3)
-    docile (1.3.1)
+    docile (1.3.2)
     ethon (0.12.0)
       ffi (>= 1.3.0)
     execjs (2.7.0)
-    ffi (1.11.0)
+    ffi (1.11.1)
     highline (2.0.2)
-    jaro_winkler (1.5.2)
+    jaro_winkler (1.5.3)
     json (2.2.0)
-    kramdown (1.17.0)
+    kramdown (2.1.0)
     librariesio-gem-parser (1.0.0)
     libv8 (3.16.14.19-x86_64-linux)
     oga (2.15)
       ast
       ruby-ll (~> 2.1)
-    ox (2.10.0)
+    ox (2.11.0)
     parallel (1.17.0)
     parser (2.6.3.0)
       ast (~> 2.4.0)
@@ -56,16 +58,16 @@ GEM
       rspec-mocks (~> 3.8.0)
     rspec-collection_matchers (1.1.3)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.8.0)
+    rspec-core (3.8.2)
       rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.3)
+    rspec-expectations (3.8.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+    rspec-mocks (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    rubocop (0.69.0)
+    rspec-support (3.8.2)
+    rubocop (0.72.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.6)
@@ -77,15 +79,20 @@ GEM
     ruby-ll (2.1.2)
       ansi
       ast
-    ruby-progressbar (1.10.0)
+    ruby-progressbar (1.10.1)
     sdl4r (0.9.11)
     semantic_interval (0.1.0)
     semantic_range (2.2.1)
-    simplecov (0.16.1)
+    simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    strings (0.1.5)
+      strings-ansi (~> 0.1)
+      unicode-display_width (~> 1.5)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.1.0)
     therubyracer (0.12.3)
       libv8 (~> 3.16.14.15)
       ref
@@ -95,10 +102,11 @@ GEM
     typhoeus (1.3.1)
       ethon (>= 0.9.0)
     unicode-display_width (1.6.0)
-    yavdb (0.5.1)
-      execjs (~> 2.7.0)
-      json (~> 2.1)
-      kramdown (~> 1.17)
+    unicode_utils (1.4.0)
+    yavdb (0.5.2)
+      execjs (~> 2.7)
+      json (~> 2.2)
+      kramdown (~> 2.1)
       oga (~> 2.15)
       semantic_interval (~> 0.1)
       therubyracer (~> 0.12)

data/lib/dependency_spy.rb

@@ -28,12 +28,20 @@ require_relative 'dependency_spy/semver'
 module DependencySpy
   class API
 
-    def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH, offline = false)
+    def self.check(options)
+      verbose = options[:verbose]
+      path = options[:path] || Dir.pwd
+      files = options[:files]
+      platform = options[:platform]
+      database_path = options[:database_path] || YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
+      offline = options[:offline] || false
+      ignore = options[:ignore] || []
+
       if !File.exist?(database_path) && offline
         puts 'No local database found. Cannot obtain database since offline mode is enabled.'
         exit(10)
       elsif !offline
-        puts 'Going to update the local vulnerability database.'
+        puts 'Going to update the local vulnerability database.' if verbose
         YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
       end
 
@@ -64,9 +72,13 @@ module DependencySpy
             vulnerable = vuln.vulnerable_versions ? vuln.vulnerable_versions.any? { |vv| DependencySpy::SemVer.intersects(vv, version) } : false
             unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
             patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
+            ignored    = ignore.include?(vuln.id)
 
             if unaffected || patched
               false
+            elsif ignored
+              puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
+              false
             else
               vulnerable
             end

data/lib/dependency_spy/cli.rb

@@ -49,8 +49,9 @@ module DependencySpy
     method_option('offline', :type => :boolean, :default => false)
     method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
     method_option('with-color', :type => :boolean, :default => true)
+    method_option('ignore', :aliases => :i, :type => :array, :default => [])
     def check
-      manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'], options['offline'])
+      manifests = API.check(options)
 
       formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
                            DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])

data/lib/dependency_spy/formatters/json.rb

@@ -29,7 +29,7 @@ module DependencySpy
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_json
       end
 
     end

data/lib/dependency_spy/formatters/text.rb

@@ -28,13 +28,15 @@ module DependencySpy
 
             package_header = "    Vulnerable: #{package.name}/#{package.type}:#{package.version}"
             package_body = package.vulnerabilities.map do |vuln|
-              first = "        Title: #{vuln.title}\n"
-              second = "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
-              third = "        Source: #{vuln.source_url}\n\n"
+              body = ''
+              body += "        Title: #{vuln.title}\n"
+              body += "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
+              body += "        Source: #{vuln.source_url}\n"
+              body += "        Identifier: #{vuln.id}\n\n"
               if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
-                "#{first}#{second}#{third}".red
+                body.red
               else
-                "#{first}#{second}#{third}"
+                body
               end
             end
 

data/lib/dependency_spy/formatters/yaml.rb

@@ -29,7 +29,7 @@ module DependencySpy
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_yaml
       end
 
     end

data/lib/dependency_spy/version.rb

@@ -16,6 +16,6 @@
 
 module DependencySpy
 
-  VERSION = '0.4.1'
+  VERSION = '0.5.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependency_spy
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.5.0
 platform: ruby
 authors:
 - Rodrigo Fernandes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-17 00:00:00.000000000 Z
+date: 2019-07-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codacy-coverage
@@ -189,11 +189,14 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".circleci/config.yml"
+- ".github/ISSUE_TEMPLATE/bug_report.md"
+- ".github/ISSUE_TEMPLATE/feature_request.md"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-version"
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE