dependency_spy 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4dafbfcad987ca150684d454d2f8a1b46d91d6c6
4
- data.tar.gz: 42aed12f4b93852fcf3d55c4d095b66a6538eb39
3
+ metadata.gz: f49de1317ff3ca8c8aec33d988ec30d8b3e0af81
4
+ data.tar.gz: 520b51be4d74d30e991bfc5de3217fe3d701bc7d
5
5
  SHA512:
6
- metadata.gz: '001439d501b54d23b34c198669335d75334667e5ccd626ece01cfb76eb537d7b203498778c123b25607bde21bfd63991d0e22ddccfb01d9feeea7d8efcfca7c7'
7
- data.tar.gz: 5e00f6b3b6093a1ce6f8fd1ba5d669f8907a4b92dda8999907283050be2e08af2a7af81f801197e31f4e0bc7b14391f26496426ba03103ab7ebb2fc97ce76a44
6
+ metadata.gz: f55af66046ca23171e7eeca25a8e18f35eae07fa73e27e1623209f6017c6801d590d3f4a992fcf0622d27256cb4766b32168e57229699c2c97e3cd1b37dee853
7
+ data.tar.gz: 774dcfcfc185696fb6ac454c649be5207812d04ea4f8c533846846254834a3f6e05f7eb5e8e5c03bb5b4669aee3d9ec527623f717b61cee390e3ee4186a8148b
data/.circleci/config.yml CHANGED
@@ -26,6 +26,10 @@ jobs:
26
26
  paths:
27
27
  - /tmp/vendor/bundle
28
28
 
29
+ - name: Vulnerable dependencies
30
+ type: shell
31
+ command: bundle exec depspy check --files Gemfile,Gemfile.lock
32
+
29
33
  - name: Rubocop
30
34
  type: shell
31
35
  command: bundle exec rubocop
data/Gemfile.lock CHANGED
@@ -1,11 +1,11 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- dependency_spy (0.1.4)
4
+ dependency_spy (0.2.0)
5
5
  bibliothecary (~> 6.3)
6
6
  semantic_range (~> 2.1)
7
7
  thor (~> 0.20)
8
- yavdb (~> 0.1)
8
+ yavdb (~> 0.2)
9
9
 
10
10
  GEM
11
11
  remote: https://rubygems.org/
@@ -89,7 +89,7 @@ GEM
89
89
  typhoeus (1.3.0)
90
90
  ethon (>= 0.9.0)
91
91
  unicode-display_width (1.4.0)
92
- yavdb (0.1.2)
92
+ yavdb (0.2.0)
93
93
  json (~> 2.1)
94
94
  kramdown (~> 1.17)
95
95
  oga (~> 2.15)
data/README.md CHANGED
@@ -4,11 +4,11 @@
4
4
  [![Codacy Badge](https://api.codacy.com/project/badge/Coverage/5ae8d9aa788e4855965974f480a0b91b)](https://www.codacy.com/app/rtfpessoa/dependency_spy?utm_source=github.com&utm_medium=referral&utm_content=rtfpessoa/dependency_spy&utm_campaign=Badge_Coverage)
5
5
  [![CircleCI](https://circleci.com/gh/rtfpessoa/dependency_spy.svg?style=svg)](https://circleci.com/gh/rtfpessoa/dependency_spy)
6
6
 
7
- Finds known vulnerabilities in your dependencies
7
+ Finds known vulnerabilities in your dependencies using [yavdb](https://github.com/rtfpessoa/yavdb) as the source agregator of vulnerabilities.
8
8
 
9
9
  Thanks to the amazing work done by [libraries.io](https://libraries.io/) all the dependency manifest parsing is
10
10
  handled by [bibliothecary](https://github.com/librariesio/bibliothecary) and this means we have support for more than 20
11
- package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed below.
11
+ package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in [yavdb](https://github.com/rtfpessoa/yavdb#yet-another-vulnerability-database).
12
12
 
13
13
  ## Disclaimer
14
14
 
@@ -30,15 +30,14 @@ Use as a complement to other tools at your own risk.
30
30
  ## Prerequisites
31
31
 
32
32
  * Ruby 2.3 or newer
33
+ * Bundler `gem install bundler`
33
34
 
34
35
  ## Installation
35
36
 
36
37
  ```sh
37
- gem install dependency_spy --pre
38
+ gem install dependency_spy
38
39
  ```
39
40
 
40
- > Notice the `--pre` in the end
41
-
42
41
  ## Usage
43
42
 
44
43
  ### Examples
@@ -56,6 +55,7 @@ depspy
56
55
 
57
56
  #### Features/Improvements
58
57
 
58
+ - [ ] Ignore vulnerabilities
59
59
  - [ ] Improve output formatters
60
60
  - [ ] Add more output options
61
61
 
@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
38
38
  spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
39
39
  spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
40
40
  spec.add_runtime_dependency 'thor', ['~> 0.20']
41
- spec.add_runtime_dependency 'yavdb', ['~> 0.1']
41
+ spec.add_runtime_dependency 'yavdb', ['~> 0.2']
42
42
  end
@@ -28,7 +28,7 @@ require_relative 'dependency_spy/semver'
28
28
  module DependencySpy
29
29
  class API
30
30
 
31
- def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
31
+ def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
32
32
  unless File.exist?(database_path)
33
33
  puts 'Could not find local vulnerability database, going to download the database.'
34
34
  YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
@@ -36,7 +36,9 @@ module DependencySpy
36
36
 
37
37
  path = File.expand_path(path)
38
38
  package_managers = find_platform(platform)
39
- file_list = if File.file?(path)
39
+ file_list = if !files.nil?
40
+ files.split(',')
41
+ elsif File.file?(path)
40
42
  path = File.dirname(path)
41
43
  [File.basename(path)]
42
44
  else
@@ -61,9 +63,11 @@ module DependencySpy
61
63
  unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
62
64
  patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
63
65
 
64
- vulnerable ||
65
- (vuln.unaffected_versions&.any? && !unaffected) ||
66
- (vuln.patched_versions&.any? && !patched)
66
+ if unaffected || patched
67
+ false
68
+ else
69
+ vulnerable
70
+ end
67
71
  end
68
72
 
69
73
  Dependency.new(package_name, version, type, vulnerabilities.uniq)
@@ -40,13 +40,14 @@ module DependencySpy
40
40
 
41
41
  desc('check', 'Check dependencies for known vulnerabilities')
42
42
  method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
43
+ method_option('files', :type => :string)
43
44
  method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
44
45
  method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
45
46
  method_option('output-path', :aliases => :o, :type => :string)
46
47
  method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
47
48
 
48
49
  def check
49
- manifests = API.check(options['path'], options['platform'], options['database-path'])
50
+ manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'])
50
51
 
51
52
  formatted_output =
52
53
  FORMATTERS
@@ -58,6 +59,11 @@ module DependencySpy
58
59
  else
59
60
  DependencySpy::Outputs::StdOut.write(formatted_output)
60
61
  end
62
+
63
+ has_vulnerabilities =
64
+ manifests.any? { |manifest| manifest.dependencies.any? { |dependency| dependency.vulnerabilities.any? } }
65
+
66
+ exit(1) if has_vulnerabilities
61
67
  end
62
68
 
63
69
  method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
@@ -16,6 +16,6 @@
16
16
 
17
17
  module DependencySpy
18
18
 
19
- VERSION = '0.1.4'
19
+ VERSION = '0.2.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependency_spy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.4
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-09-29 00:00:00.000000000 Z
11
+ date: 2018-10-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -170,14 +170,14 @@ dependencies:
170
170
  requirements:
171
171
  - - "~>"
172
172
  - !ruby/object:Gem::Version
173
- version: '0.1'
173
+ version: '0.2'
174
174
  type: :runtime
175
175
  prerelease: false
176
176
  version_requirements: !ruby/object:Gem::Requirement
177
177
  requirements:
178
178
  - - "~>"
179
179
  - !ruby/object:Gem::Version
180
- version: '0.1'
180
+ version: '0.2'
181
181
  description: "\n Finds known vulnerabilities in your dependencies\n Using rubysec/ruby-advisory-db,
182
182
  snyk.io, ossindex.net, nodesecurity.io\n "
183
183
  email: