dependency_spy 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -0
  3. data/Gemfile.lock +6 -6
  4. data/example.depspy.yml +12 -0
  5. data/lib/dependency_spy/cli.rb +49 -17
  6. data/lib/dependency_spy/helper/config_file.rb +41 -0
  7. data/lib/dependency_spy/version.rb +1 -1
  8. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
4
- data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
3
+ metadata.gz: 870c1695f62b6c4d5528955daa987ac893ea480a4a2e4ff4416e595170b45fe6
4
+ data.tar.gz: eb662a8e9f08dc6b6ce5e996e2be7e217b86eab24bb70bb46d19bf25e00db186
5
5
  SHA512:
6
- metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
7
- data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
6
+ metadata.gz: 8ed9e7adb7aa849e7e33d7d2d725cb39d53ee33f55e49ddf4fa3a87054ef9e55e40a70345b0dea238769e115982a0d4d2848727dbd49fd7662e407984b790e1b
7
+ data.tar.gz: 2fa757046d9bd09f3bfc75d44a13fa760029560f23573bc56ed786a904b89d7e96072b2b0c5370a46a6171f6b16b5fd0f9075e17154503f4d3b581d98ceb2cb5
data/.gitignore CHANGED
@@ -112,3 +112,5 @@ build-iPhoneSimulator/
112
112
  *.iml
113
113
 
114
114
  # End of https://www.gitignore.io/api/jetbrains,ruby
115
+
116
+ .depspy.yml
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dependency_spy (0.5.0)
4
+ dependency_spy (0.6.0)
5
5
  bibliothecary (~> 6.6)
6
6
  colorize (= 0.8.1)
7
7
  semantic_range (~> 2.2)
@@ -13,7 +13,7 @@ GEM
13
13
  specs:
14
14
  ansi (1.5.0)
15
15
  ast (2.4.0)
16
- bibliothecary (6.7.3)
16
+ bibliothecary (6.8.4)
17
17
  commander
18
18
  deb_control
19
19
  librariesio-gem-parser
@@ -36,12 +36,12 @@ GEM
36
36
  ffi (>= 1.3.0)
37
37
  execjs (2.7.0)
38
38
  ffi (1.11.1)
39
- highline (2.0.2)
39
+ highline (2.0.3)
40
40
  jaro_winkler (1.5.3)
41
41
  json (2.2.0)
42
42
  kramdown (2.1.0)
43
43
  librariesio-gem-parser (1.0.0)
44
- libv8 (3.16.14.19-x86_64-linux)
44
+ libv8 (3.16.14.19)
45
45
  oga (2.15)
46
46
  ast
47
47
  ruby-ll (~> 2.1)
@@ -88,7 +88,7 @@ GEM
88
88
  json (>= 1.8, < 3)
89
89
  simplecov-html (~> 0.10.0)
90
90
  simplecov-html (0.10.2)
91
- strings (0.1.5)
91
+ strings (0.1.6)
92
92
  strings-ansi (~> 0.1)
93
93
  unicode-display_width (~> 1.5)
94
94
  unicode_utils (~> 1.4)
@@ -103,7 +103,7 @@ GEM
103
103
  ethon (>= 0.9.0)
104
104
  unicode-display_width (1.6.0)
105
105
  unicode_utils (1.4.0)
106
- yavdb (0.5.2)
106
+ yavdb (0.5.3)
107
107
  execjs (~> 2.7)
108
108
  json (~> 2.2)
109
109
  kramdown (~> 2.1)
data/example.depspy.yml ADDED
@@ -0,0 +1,12 @@
1
+ path: '/path/to/files' # Path to find files. DEFAULT: Dir.pwd
2
+ files: 'comma.sep,file.list' # Specific file list relative to `path`. DEFAULT: All files
3
+ formatter: 'text' # Output format. DEFAULT: text; AVAILABLE: text,json,yaml
4
+ platform: 'rubygems' # Supported YAVDB package manager lookup. DEFAULT: not specified (ALL); AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L31)
5
+ output-path: '/path/to/output' # Path to generate report to. DEFAULT: not specified (console output)
6
+ database-path: '/path/to/yavdb/database' # Path to find/store local YAVDB DB. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L28)
7
+ offline: false # Operate in offline mode (don't try to get YAVDB). Must have local YAVDB available. DEFAULT: false; AVAILABLE: true,false
8
+ severity-threshold: 'low' # Threshold for non-zero exit status. Doesn't change output. DEFAULT: 'low'; AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L33)
9
+ with-color: true # Generate colored console output. DEFAULT: true; AVAILABLE: true,false
10
+ ignore: # A list of all YAVDB vulnerability identifiers to ignore. Removes from output.
11
+ - "identifier:to:ignore:19551105"
12
+ vuln-db-path: '/path/to/yavdb' # Path to local YAVDB for updating. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L27)
data/lib/dependency_spy/cli.rb CHANGED
@@ -24,6 +24,7 @@ require_relative 'formatters/yaml'
24
24
  require_relative 'outputs/stdout'
25
25
  require_relative 'outputs/file'
26
26
  require_relative 'helper/helper'
27
+ require_relative 'helper/config_file'
27
28
 
28
29
  module DependencySpy
29
30
  class CLI < Thor
@@ -37,32 +38,49 @@ module DependencySpy
37
38
  DependencySpy::Formatters::Yaml
38
39
  ]
39
40
 
40
- class_option('verbose', :type => :boolean, :default => false)
41
+ class_option('verbose', :type => :boolean)
41
42
 
42
43
  desc('check', 'Check dependencies for known vulnerabilities')
43
- method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
44
+ method_option('config-file-path', :aliases => :c, :type => :string)
45
+ method_option('path', :aliases => :p, :type => :string)
44
46
  method_option('files', :type => :string)
45
- method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
47
+ method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase })
46
48
  method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
47
49
  method_option('output-path', :aliases => :o, :type => :string)
48
- method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
49
- method_option('offline', :type => :boolean, :default => false)
50
- method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
51
- method_option('with-color', :type => :boolean, :default => true)
52
- method_option('ignore', :aliases => :i, :type => :array, :default => [])
50
+ method_option('database-path', :type => :string, :aliases => :p)
51
+ method_option('offline', :type => :boolean)
52
+ method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES)
53
+ method_option('with-color', :type => :boolean)
54
+ method_option('ignore', :aliases => :i, :type => :array)
53
55
  def check
54
- manifests = API.check(options)
56
+ defaults = {
57
+ 'verbose' => false,
58
+ 'path' => Dir.pwd,
59
+ 'formatter' => FORMATTERS.first.name.split('::').last.downcase,
60
+ 'database-path' => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH,
61
+ 'offline' => false,
62
+ 'severity-threshold' => 'low',
63
+ 'with-color' => true,
64
+ 'ignore' => []
65
+ }
66
+ the_options = defaults.merge(options)
55
67
 
56
- formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
57
- DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
68
+ api_options = the_options.transform_keys(&:to_sym)
69
+ api_options[:database_path] = api_options[:'database-path']
70
+ the_options.freeze
71
+ api_options.freeze
72
+ manifests = API.check(api_options)
73
+
74
+ formatted_output = if (the_options['formatter'] == 'text') && !the_options['output-path'] && the_options['with-color']
75
+ DependencySpy::Formatters::Text.format(manifests, the_options['severity-threshold'])
58
76
  else
59
77
  FORMATTERS
60
- .find { |f| f.name.split('::').last.downcase == options['formatter'] }
78
+ .find { |f| f.name.split('::').last.downcase == the_options['formatter'] }
61
79
  .format(manifests)
62
80
  end
63
81
 
64
- if options['output-path']
65
- DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
82
+ if the_options['output-path']
83
+ DependencySpy::Outputs::FileSystem.write(the_options['output-path'], formatted_output)
66
84
  else
67
85
  DependencySpy::Outputs::StdOut.write(formatted_output)
68
86
  end
@@ -71,7 +89,7 @@ module DependencySpy
71
89
  manifests.any? do |manifest|
72
90
  manifest[:dependencies]&.any? do |dependency|
73
91
  dependency[:vulnerabilities]&.any? do |vuln|
74
- DependencySpy::Helper.severity_above_threshold?(vuln.severity, options['severity-threshold'])
92
+ DependencySpy::Helper.severity_above_threshold?(vuln.severity, the_options['severity-threshold'])
75
93
  end
76
94
  end
77
95
  end
@@ -79,11 +97,25 @@ module DependencySpy
79
97
  exit(1) if has_vulnerabilities
80
98
  end
81
99
 
82
- method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
100
+ method_option('vuln-db-path', :aliases => :d, :type => :string)
83
101
  desc('update', 'Download or update database from the official yavdb repository.')
84
102
 
85
103
  def update
86
- API.update(options['vuln-db-path'])
104
+ defaults = {
105
+ 'verbose' => false,
106
+ 'vuln-db-path' => YAVDB::Constants::DEFAULT_YAVDB_PATH
107
+ }
108
+ the_options = defaults.merge(options)
109
+ the_options.freeze
110
+ API.update(the_options['vuln-db-path'])
111
+ end
112
+
113
+ private
114
+
115
+ def options
116
+ cli_options = super
117
+ config_file_options = DependencySpy::ConfigFile.get_config(cli_options[:'config-file-path'])
118
+ config_file_options.merge(cli_options)
87
119
  end
88
120
 
89
121
  end
data/lib/dependency_spy/helper/config_file.rb ADDED
@@ -0,0 +1,41 @@
1
+ require 'yaml'
2
+
3
+ module DependencySpy
4
+ class ConfigFile
5
+
6
+ SAFE_CONFIG_PARAMS = [
7
+ 'path',
8
+ 'files',
9
+ 'formatter',
10
+ 'platform',
11
+ 'output-path',
12
+ 'database-path',
13
+ 'offline',
14
+ 'severity-threshold',
15
+ 'with-color',
16
+ 'ignore',
17
+ 'vuln-db-path'
18
+ ].freeze
19
+
20
+ def self.get_config(config_file_path = nil)
21
+ if !config_file_path.nil? && !File.file?(config_file_path)
22
+ puts 'Config file specified but not found.'
23
+ exit(10)
24
+
25
+ end
26
+
27
+ begin
28
+ file_path = config_file_path || '.depspy.yml'
29
+ config = YAML.load_file(file_path) || {}
30
+ config.slice(*SAFE_CONFIG_PARAMS)
31
+ rescue Errno::ENOENT
32
+ {}
33
+ rescue Psych::SyntaxError => e
34
+ puts 'Config File Parsing Error:'
35
+ puts e.message
36
+ exit(10)
37
+ end
38
+ end
39
+
40
+ end
41
+ end
data/lib/dependency_spy/version.rb CHANGED
@@ -16,6 +16,6 @@
16
16
 
17
17
  module DependencySpy
18
18
 
19
- VERSION = '0.5.0'
19
+ VERSION = '0.6.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependency_spy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-03 00:00:00.000000000 Z
11
+ date: 2019-10-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: codacy-coverage
@@ -207,6 +207,7 @@ files:
207
207
  - bin/depspy
208
208
  - bin/setup
209
209
  - dependency_spy.gemspec
210
+ - example.depspy.yml
210
211
  - examples/Gemfile
211
212
  - examples/Gemfile.lock
212
213
  - examples/npm-shrinkwrap.json
@@ -218,6 +219,7 @@ files:
218
219
  - lib/dependency_spy/formatters/json.rb
219
220
  - lib/dependency_spy/formatters/text.rb
220
221
  - lib/dependency_spy/formatters/yaml.rb
222
+ - lib/dependency_spy/helper/config_file.rb
221
223
  - lib/dependency_spy/helper/helper.rb
222
224
  - lib/dependency_spy/outputs/file.rb
223
225
  - lib/dependency_spy/outputs/stdout.rb