dependency_spy 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -0
  3. data/Gemfile.lock +6 -6
  4. data/example.depspy.yml +12 -0
  5. data/lib/dependency_spy/cli.rb +49 -17
  6. data/lib/dependency_spy/helper/config_file.rb +41 -0
  7. data/lib/dependency_spy/version.rb +1 -1
  8. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0ddb60aae0c5f147e8a30d6ace566ef78bbdc0ec19347ca1f7ba293c9fbeace0
4
- data.tar.gz: 7b8af132b777ab01bb86e9bb411b301a6b43efd7e5f5041a60aab32d21ba2dce
3
+ metadata.gz: 870c1695f62b6c4d5528955daa987ac893ea480a4a2e4ff4416e595170b45fe6
4
+ data.tar.gz: eb662a8e9f08dc6b6ce5e996e2be7e217b86eab24bb70bb46d19bf25e00db186
5
5
  SHA512:
6
- metadata.gz: 9f28a41c70c1180129d3ad64324c5eb8248154bdef020751839e7772650c62ad36ff5307e3666d5dbab6d045269d4ce54b19f54c6c5231258260c5a42841b2e3
7
- data.tar.gz: 872132f723b4a31fc739680ae336a151cca2b054d900ea5e33e52f1cee37be3f2acf4a8ceb6d4fd867a7bc1cf475c86dca0c1207d8769ec56b86f23e66ac62dd
6
+ metadata.gz: 8ed9e7adb7aa849e7e33d7d2d725cb39d53ee33f55e49ddf4fa3a87054ef9e55e40a70345b0dea238769e115982a0d4d2848727dbd49fd7662e407984b790e1b
7
+ data.tar.gz: 2fa757046d9bd09f3bfc75d44a13fa760029560f23573bc56ed786a904b89d7e96072b2b0c5370a46a6171f6b16b5fd0f9075e17154503f4d3b581d98ceb2cb5
data/.gitignore CHANGED
@@ -112,3 +112,5 @@ build-iPhoneSimulator/
112
112
  *.iml
113
113
 
114
114
  # End of https://www.gitignore.io/api/jetbrains,ruby
115
+
116
+ .depspy.yml
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dependency_spy (0.5.0)
4
+ dependency_spy (0.6.0)
5
5
  bibliothecary (~> 6.6)
6
6
  colorize (= 0.8.1)
7
7
  semantic_range (~> 2.2)
@@ -13,7 +13,7 @@ GEM
13
13
  specs:
14
14
  ansi (1.5.0)
15
15
  ast (2.4.0)
16
- bibliothecary (6.7.3)
16
+ bibliothecary (6.8.4)
17
17
  commander
18
18
  deb_control
19
19
  librariesio-gem-parser
@@ -36,12 +36,12 @@ GEM
36
36
  ffi (>= 1.3.0)
37
37
  execjs (2.7.0)
38
38
  ffi (1.11.1)
39
- highline (2.0.2)
39
+ highline (2.0.3)
40
40
  jaro_winkler (1.5.3)
41
41
  json (2.2.0)
42
42
  kramdown (2.1.0)
43
43
  librariesio-gem-parser (1.0.0)
44
- libv8 (3.16.14.19-x86_64-linux)
44
+ libv8 (3.16.14.19)
45
45
  oga (2.15)
46
46
  ast
47
47
  ruby-ll (~> 2.1)
@@ -88,7 +88,7 @@ GEM
88
88
  json (>= 1.8, < 3)
89
89
  simplecov-html (~> 0.10.0)
90
90
  simplecov-html (0.10.2)
91
- strings (0.1.5)
91
+ strings (0.1.6)
92
92
  strings-ansi (~> 0.1)
93
93
  unicode-display_width (~> 1.5)
94
94
  unicode_utils (~> 1.4)
@@ -103,7 +103,7 @@ GEM
103
103
  ethon (>= 0.9.0)
104
104
  unicode-display_width (1.6.0)
105
105
  unicode_utils (1.4.0)
106
- yavdb (0.5.2)
106
+ yavdb (0.5.3)
107
107
  execjs (~> 2.7)
108
108
  json (~> 2.2)
109
109
  kramdown (~> 2.1)
data/example.depspy.yml ADDED
@@ -0,0 +1,12 @@
1
+ path: '/path/to/files' # Path to find files. DEFAULT: Dir.pwd
2
+ files: 'comma.sep,file.list' # Specific file list relative to `path`. DEFAULT: All files
3
+ formatter: 'text' # Output format. DEFAULT: text; AVAILABLE: text,json,yaml
4
+ platform: 'rubygems' # Supported YAVDB package manager lookup. DEFAULT: not specified (ALL); AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L31)
5
+ output-path: '/path/to/output' # Path to generate report to. DEFAULT: not specified (console output)
6
+ database-path: '/path/to/yavdb/database' # Path to find/store local YAVDB DB. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L28)
7
+ offline: false # Operate in offline mode (don't try to get YAVDB). Must have local YAVDB available. DEFAULT: false; AVAILABLE: true,false
8
+ severity-threshold: 'low' # Threshold for non-zero exit status. Doesn't change output. DEFAULT: 'low'; AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L33)
9
+ with-color: true # Generate colored console output. DEFAULT: true; AVAILABLE: true,false
10
+ ignore: # A list of all YAVDB vulnerability identifiers to ignore. Removes from output.
11
+ - "identifier:to:ignore:19551105"
12
+ vuln-db-path: '/path/to/yavdb' # Path to local YAVDB for updating. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L27)
data/lib/dependency_spy/cli.rb CHANGED
@@ -24,6 +24,7 @@ require_relative 'formatters/yaml'
24
24
  require_relative 'outputs/stdout'
25
25
  require_relative 'outputs/file'
26
26
  require_relative 'helper/helper'
27
+ require_relative 'helper/config_file'
27
28
 
28
29
  module DependencySpy
29
30
  class CLI < Thor
@@ -37,32 +38,49 @@ module DependencySpy
37
38
  DependencySpy::Formatters::Yaml
38
39
  ]
39
40
 
40
- class_option('verbose', :type => :boolean, :default => false)
41
+ class_option('verbose', :type => :boolean)
41
42
 
42
43
  desc('check', 'Check dependencies for known vulnerabilities')
43
- method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
44
+ method_option('config-file-path', :aliases => :c, :type => :string)
45
+ method_option('path', :aliases => :p, :type => :string)
44
46
  method_option('files', :type => :string)
45
- method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
47
+ method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase })
46
48
  method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
47
49
  method_option('output-path', :aliases => :o, :type => :string)
48
- method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
49
- method_option('offline', :type => :boolean, :default => false)
50
- method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES, :default => 'low')
51
- method_option('with-color', :type => :boolean, :default => true)
52
- method_option('ignore', :aliases => :i, :type => :array, :default => [])
50
+ method_option('database-path', :type => :string, :aliases => :p)
51
+ method_option('offline', :type => :boolean)
52
+ method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES)
53
+ method_option('with-color', :type => :boolean)
54
+ method_option('ignore', :aliases => :i, :type => :array)
53
55
  def check
54
- manifests = API.check(options)
56
+ defaults = {
57
+ 'verbose' => false,
58
+ 'path' => Dir.pwd,
59
+ 'formatter' => FORMATTERS.first.name.split('::').last.downcase,
60
+ 'database-path' => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH,
61
+ 'offline' => false,
62
+ 'severity-threshold' => 'low',
63
+ 'with-color' => true,
64
+ 'ignore' => []
65
+ }
66
+ the_options = defaults.merge(options)
55
67
 
56
- formatted_output = if (options['formatter'] == 'text') && !options['output-path'] && options['with-color']
57
- DependencySpy::Formatters::Text.format(manifests, options['severity-threshold'])
68
+ api_options = the_options.transform_keys(&:to_sym)
69
+ api_options[:database_path] = api_options[:'database-path']
70
+ the_options.freeze
71
+ api_options.freeze
72
+ manifests = API.check(api_options)
73
+
74
+ formatted_output = if (the_options['formatter'] == 'text') && !the_options['output-path'] && the_options['with-color']
75
+ DependencySpy::Formatters::Text.format(manifests, the_options['severity-threshold'])
58
76
  else
59
77
  FORMATTERS
60
- .find { |f| f.name.split('::').last.downcase == options['formatter'] }
78
+ .find { |f| f.name.split('::').last.downcase == the_options['formatter'] }
61
79
  .format(manifests)
62
80
  end
63
81
 
64
- if options['output-path']
65
- DependencySpy::Outputs::FileSystem.write(options['output-path'], formatted_output)
82
+ if the_options['output-path']
83
+ DependencySpy::Outputs::FileSystem.write(the_options['output-path'], formatted_output)
66
84
  else
67
85
  DependencySpy::Outputs::StdOut.write(formatted_output)
68
86
  end
@@ -71,7 +89,7 @@ module DependencySpy
71
89
  manifests.any? do |manifest|
72
90
  manifest[:dependencies]&.any? do |dependency|
73
91
  dependency[:vulnerabilities]&.any? do |vuln|
74
- DependencySpy::Helper.severity_above_threshold?(vuln.severity, options['severity-threshold'])
92
+ DependencySpy::Helper.severity_above_threshold?(vuln.severity, the_options['severity-threshold'])
75
93
  end
76
94
  end
77
95
  end
@@ -79,11 +97,25 @@ module DependencySpy
79
97
  exit(1) if has_vulnerabilities
80
98
  end
81
99
 
82
- method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
100
+ method_option('vuln-db-path', :aliases => :d, :type => :string)
83
101
  desc('update', 'Download or update database from the official yavdb repository.')
84
102
 
85
103
  def update
86
- API.update(options['vuln-db-path'])
104
+ defaults = {
105
+ 'verbose' => false,
106
+ 'vuln-db-path' => YAVDB::Constants::DEFAULT_YAVDB_PATH
107
+ }
108
+ the_options = defaults.merge(options)
109
+ the_options.freeze
110
+ API.update(the_options['vuln-db-path'])
111
+ end
112
+
113
+ private
114
+
115
+ def options
116
+ cli_options = super
117
+ config_file_options = DependencySpy::ConfigFile.get_config(cli_options[:'config-file-path'])
118
+ config_file_options.merge(cli_options)
87
119
  end
88
120
 
89
121
  end
data/lib/dependency_spy/helper/config_file.rb ADDED
@@ -0,0 +1,41 @@
1
+ require 'yaml'
2
+
3
+ module DependencySpy
4
+ class ConfigFile
5
+
6
+ SAFE_CONFIG_PARAMS = [
7
+ 'path',
8
+ 'files',
9
+ 'formatter',
10
+ 'platform',
11
+ 'output-path',
12
+ 'database-path',
13
+ 'offline',
14
+ 'severity-threshold',
15
+ 'with-color',
16
+ 'ignore',
17
+ 'vuln-db-path'
18
+ ].freeze
19
+
20
+ def self.get_config(config_file_path = nil)
21
+ if !config_file_path.nil? && !File.file?(config_file_path)
22
+ puts 'Config file specified but not found.'
23
+ exit(10)
24
+
25
+ end
26
+
27
+ begin
28
+ file_path = config_file_path || '.depspy.yml'
29
+ config = YAML.load_file(file_path) || {}
30
+ config.slice(*SAFE_CONFIG_PARAMS)
31
+ rescue Errno::ENOENT
32
+ {}
33
+ rescue Psych::SyntaxError => e
34
+ puts 'Config File Parsing Error:'
35
+ puts e.message
36
+ exit(10)
37
+ end
38
+ end
39
+
40
+ end
41
+ end
data/lib/dependency_spy/version.rb CHANGED
@@ -16,6 +16,6 @@
16
16
 
17
17
  module DependencySpy
18
18
 
19
- VERSION = '0.5.0'
19
+ VERSION = '0.6.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependency_spy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-03 00:00:00.000000000 Z
11
+ date: 2019-10-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: codacy-coverage
@@ -207,6 +207,7 @@ files:
207
207
  - bin/depspy
208
208
  - bin/setup
209
209
  - dependency_spy.gemspec
210
+ - example.depspy.yml
210
211
  - examples/Gemfile
211
212
  - examples/Gemfile.lock
212
213
  - examples/npm-shrinkwrap.json
@@ -218,6 +219,7 @@ files:
218
219
  - lib/dependency_spy/formatters/json.rb
219
220
  - lib/dependency_spy/formatters/text.rb
220
221
  - lib/dependency_spy/formatters/yaml.rb
222
+ - lib/dependency_spy/helper/config_file.rb
221
223
  - lib/dependency_spy/helper/helper.rb
222
224
  - lib/dependency_spy/outputs/file.rb
223
225
  - lib/dependency_spy/outputs/stdout.rb