dependency_spy 0.5.0 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/Gemfile.lock +6 -6
- data/example.depspy.yml +12 -0
- data/lib/dependency_spy/cli.rb +49 -17
- data/lib/dependency_spy/helper/config_file.rb +41 -0
- data/lib/dependency_spy/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 870c1695f62b6c4d5528955daa987ac893ea480a4a2e4ff4416e595170b45fe6
|
4
|
+
data.tar.gz: eb662a8e9f08dc6b6ce5e996e2be7e217b86eab24bb70bb46d19bf25e00db186
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8ed9e7adb7aa849e7e33d7d2d725cb39d53ee33f55e49ddf4fa3a87054ef9e55e40a70345b0dea238769e115982a0d4d2848727dbd49fd7662e407984b790e1b
|
7
|
+
data.tar.gz: 2fa757046d9bd09f3bfc75d44a13fa760029560f23573bc56ed786a904b89d7e96072b2b0c5370a46a6171f6b16b5fd0f9075e17154503f4d3b581d98ceb2cb5
|
data/.gitignore
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.6.0)
|
5
5
|
bibliothecary (~> 6.6)
|
6
6
|
colorize (= 0.8.1)
|
7
7
|
semantic_range (~> 2.2)
|
@@ -13,7 +13,7 @@ GEM
|
|
13
13
|
specs:
|
14
14
|
ansi (1.5.0)
|
15
15
|
ast (2.4.0)
|
16
|
-
bibliothecary (6.
|
16
|
+
bibliothecary (6.8.4)
|
17
17
|
commander
|
18
18
|
deb_control
|
19
19
|
librariesio-gem-parser
|
@@ -36,12 +36,12 @@ GEM
|
|
36
36
|
ffi (>= 1.3.0)
|
37
37
|
execjs (2.7.0)
|
38
38
|
ffi (1.11.1)
|
39
|
-
highline (2.0.
|
39
|
+
highline (2.0.3)
|
40
40
|
jaro_winkler (1.5.3)
|
41
41
|
json (2.2.0)
|
42
42
|
kramdown (2.1.0)
|
43
43
|
librariesio-gem-parser (1.0.0)
|
44
|
-
libv8 (3.16.14.19
|
44
|
+
libv8 (3.16.14.19)
|
45
45
|
oga (2.15)
|
46
46
|
ast
|
47
47
|
ruby-ll (~> 2.1)
|
@@ -88,7 +88,7 @@ GEM
|
|
88
88
|
json (>= 1.8, < 3)
|
89
89
|
simplecov-html (~> 0.10.0)
|
90
90
|
simplecov-html (0.10.2)
|
91
|
-
strings (0.1.
|
91
|
+
strings (0.1.6)
|
92
92
|
strings-ansi (~> 0.1)
|
93
93
|
unicode-display_width (~> 1.5)
|
94
94
|
unicode_utils (~> 1.4)
|
@@ -103,7 +103,7 @@ GEM
|
|
103
103
|
ethon (>= 0.9.0)
|
104
104
|
unicode-display_width (1.6.0)
|
105
105
|
unicode_utils (1.4.0)
|
106
|
-
yavdb (0.5.
|
106
|
+
yavdb (0.5.3)
|
107
107
|
execjs (~> 2.7)
|
108
108
|
json (~> 2.2)
|
109
109
|
kramdown (~> 2.1)
|
data/example.depspy.yml
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
path: '/path/to/files' # Path to find files. DEFAULT: Dir.pwd
|
2
|
+
files: 'comma.sep,file.list' # Specific file list relative to `path`. DEFAULT: All files
|
3
|
+
formatter: 'text' # Output format. DEFAULT: text; AVAILABLE: text,json,yaml
|
4
|
+
platform: 'rubygems' # Supported YAVDB package manager lookup. DEFAULT: not specified (ALL); AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L31)
|
5
|
+
output-path: '/path/to/output' # Path to generate report to. DEFAULT: not specified (console output)
|
6
|
+
database-path: '/path/to/yavdb/database' # Path to find/store local YAVDB DB. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L28)
|
7
|
+
offline: false # Operate in offline mode (don't try to get YAVDB). Must have local YAVDB available. DEFAULT: false; AVAILABLE: true,false
|
8
|
+
severity-threshold: 'low' # Threshold for non-zero exit status. Doesn't change output. DEFAULT: 'low'; AVAILABLE: (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L33)
|
9
|
+
with-color: true # Generate colored console output. DEFAULT: true; AVAILABLE: true,false
|
10
|
+
ignore: # A list of all YAVDB vulnerability identifiers to ignore. Removes from output.
|
11
|
+
- "identifier:to:ignore:19551105"
|
12
|
+
vuln-db-path: '/path/to/yavdb' # Path to local YAVDB for updating. DEFAULT: YAVDB::Constants::DEFAULT_YAVDB_PATH (See: https://github.com/rtfpessoa/yavdb/blob/master/lib/yavdb/constants.rb#L27)
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -24,6 +24,7 @@ require_relative 'formatters/yaml'
|
|
24
24
|
require_relative 'outputs/stdout'
|
25
25
|
require_relative 'outputs/file'
|
26
26
|
require_relative 'helper/helper'
|
27
|
+
require_relative 'helper/config_file'
|
27
28
|
|
28
29
|
module DependencySpy
|
29
30
|
class CLI < Thor
|
@@ -37,32 +38,49 @@ module DependencySpy
|
|
37
38
|
DependencySpy::Formatters::Yaml
|
38
39
|
]
|
39
40
|
|
40
|
-
class_option('verbose', :type => :boolean
|
41
|
+
class_option('verbose', :type => :boolean)
|
41
42
|
|
42
43
|
desc('check', 'Check dependencies for known vulnerabilities')
|
43
|
-
method_option('path', :aliases => :
|
44
|
+
method_option('config-file-path', :aliases => :c, :type => :string)
|
45
|
+
method_option('path', :aliases => :p, :type => :string)
|
44
46
|
method_option('files', :type => :string)
|
45
|
-
method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }
|
47
|
+
method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase })
|
46
48
|
method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
|
47
49
|
method_option('output-path', :aliases => :o, :type => :string)
|
48
|
-
method_option('database-path', :type => :string, :aliases => :p
|
49
|
-
method_option('offline', :type => :boolean
|
50
|
-
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES
|
51
|
-
method_option('with-color', :type => :boolean
|
52
|
-
method_option('ignore', :aliases => :i, :type => :array
|
50
|
+
method_option('database-path', :type => :string, :aliases => :p)
|
51
|
+
method_option('offline', :type => :boolean)
|
52
|
+
method_option('severity-threshold', :aliases => :s, :type => :string, :enum => YAVDB::Constants::SEVERITIES)
|
53
|
+
method_option('with-color', :type => :boolean)
|
54
|
+
method_option('ignore', :aliases => :i, :type => :array)
|
53
55
|
def check
|
54
|
-
|
56
|
+
defaults = {
|
57
|
+
'verbose' => false,
|
58
|
+
'path' => Dir.pwd,
|
59
|
+
'formatter' => FORMATTERS.first.name.split('::').last.downcase,
|
60
|
+
'database-path' => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH,
|
61
|
+
'offline' => false,
|
62
|
+
'severity-threshold' => 'low',
|
63
|
+
'with-color' => true,
|
64
|
+
'ignore' => []
|
65
|
+
}
|
66
|
+
the_options = defaults.merge(options)
|
55
67
|
|
56
|
-
|
57
|
-
|
68
|
+
api_options = the_options.transform_keys(&:to_sym)
|
69
|
+
api_options[:database_path] = api_options[:'database-path']
|
70
|
+
the_options.freeze
|
71
|
+
api_options.freeze
|
72
|
+
manifests = API.check(api_options)
|
73
|
+
|
74
|
+
formatted_output = if (the_options['formatter'] == 'text') && !the_options['output-path'] && the_options['with-color']
|
75
|
+
DependencySpy::Formatters::Text.format(manifests, the_options['severity-threshold'])
|
58
76
|
else
|
59
77
|
FORMATTERS
|
60
|
-
.find { |f| f.name.split('::').last.downcase ==
|
78
|
+
.find { |f| f.name.split('::').last.downcase == the_options['formatter'] }
|
61
79
|
.format(manifests)
|
62
80
|
end
|
63
81
|
|
64
|
-
if
|
65
|
-
DependencySpy::Outputs::FileSystem.write(
|
82
|
+
if the_options['output-path']
|
83
|
+
DependencySpy::Outputs::FileSystem.write(the_options['output-path'], formatted_output)
|
66
84
|
else
|
67
85
|
DependencySpy::Outputs::StdOut.write(formatted_output)
|
68
86
|
end
|
@@ -71,7 +89,7 @@ module DependencySpy
|
|
71
89
|
manifests.any? do |manifest|
|
72
90
|
manifest[:dependencies]&.any? do |dependency|
|
73
91
|
dependency[:vulnerabilities]&.any? do |vuln|
|
74
|
-
DependencySpy::Helper.severity_above_threshold?(vuln.severity,
|
92
|
+
DependencySpy::Helper.severity_above_threshold?(vuln.severity, the_options['severity-threshold'])
|
75
93
|
end
|
76
94
|
end
|
77
95
|
end
|
@@ -79,11 +97,25 @@ module DependencySpy
|
|
79
97
|
exit(1) if has_vulnerabilities
|
80
98
|
end
|
81
99
|
|
82
|
-
method_option('vuln-db-path', :aliases => :d, :type => :string
|
100
|
+
method_option('vuln-db-path', :aliases => :d, :type => :string)
|
83
101
|
desc('update', 'Download or update database from the official yavdb repository.')
|
84
102
|
|
85
103
|
def update
|
86
|
-
|
104
|
+
defaults = {
|
105
|
+
'verbose' => false,
|
106
|
+
'vuln-db-path' => YAVDB::Constants::DEFAULT_YAVDB_PATH
|
107
|
+
}
|
108
|
+
the_options = defaults.merge(options)
|
109
|
+
the_options.freeze
|
110
|
+
API.update(the_options['vuln-db-path'])
|
111
|
+
end
|
112
|
+
|
113
|
+
private
|
114
|
+
|
115
|
+
def options
|
116
|
+
cli_options = super
|
117
|
+
config_file_options = DependencySpy::ConfigFile.get_config(cli_options[:'config-file-path'])
|
118
|
+
config_file_options.merge(cli_options)
|
87
119
|
end
|
88
120
|
|
89
121
|
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
require 'yaml'
|
2
|
+
|
3
|
+
module DependencySpy
|
4
|
+
class ConfigFile
|
5
|
+
|
6
|
+
SAFE_CONFIG_PARAMS = [
|
7
|
+
'path',
|
8
|
+
'files',
|
9
|
+
'formatter',
|
10
|
+
'platform',
|
11
|
+
'output-path',
|
12
|
+
'database-path',
|
13
|
+
'offline',
|
14
|
+
'severity-threshold',
|
15
|
+
'with-color',
|
16
|
+
'ignore',
|
17
|
+
'vuln-db-path'
|
18
|
+
].freeze
|
19
|
+
|
20
|
+
def self.get_config(config_file_path = nil)
|
21
|
+
if !config_file_path.nil? && !File.file?(config_file_path)
|
22
|
+
puts 'Config file specified but not found.'
|
23
|
+
exit(10)
|
24
|
+
|
25
|
+
end
|
26
|
+
|
27
|
+
begin
|
28
|
+
file_path = config_file_path || '.depspy.yml'
|
29
|
+
config = YAML.load_file(file_path) || {}
|
30
|
+
config.slice(*SAFE_CONFIG_PARAMS)
|
31
|
+
rescue Errno::ENOENT
|
32
|
+
{}
|
33
|
+
rescue Psych::SyntaxError => e
|
34
|
+
puts 'Config File Parsing Error:'
|
35
|
+
puts e.message
|
36
|
+
exit(10)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
end
|
41
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.6.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-10-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codacy-coverage
|
@@ -207,6 +207,7 @@ files:
|
|
207
207
|
- bin/depspy
|
208
208
|
- bin/setup
|
209
209
|
- dependency_spy.gemspec
|
210
|
+
- example.depspy.yml
|
210
211
|
- examples/Gemfile
|
211
212
|
- examples/Gemfile.lock
|
212
213
|
- examples/npm-shrinkwrap.json
|
@@ -218,6 +219,7 @@ files:
|
|
218
219
|
- lib/dependency_spy/formatters/json.rb
|
219
220
|
- lib/dependency_spy/formatters/text.rb
|
220
221
|
- lib/dependency_spy/formatters/yaml.rb
|
222
|
+
- lib/dependency_spy/helper/config_file.rb
|
221
223
|
- lib/dependency_spy/helper/helper.rb
|
222
224
|
- lib/dependency_spy/outputs/file.rb
|
223
225
|
- lib/dependency_spy/outputs/stdout.rb
|