dependency_spy 0.1.4 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.circleci/config.yml +4 -0
- data/Gemfile.lock +3 -3
- data/README.md +5 -5
- data/dependency_spy.gemspec +1 -1
- data/lib/dependency_spy.rb +9 -5
- data/lib/dependency_spy/cli.rb +7 -1
- data/lib/dependency_spy/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f49de1317ff3ca8c8aec33d988ec30d8b3e0af81
|
4
|
+
data.tar.gz: 520b51be4d74d30e991bfc5de3217fe3d701bc7d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f55af66046ca23171e7eeca25a8e18f35eae07fa73e27e1623209f6017c6801d590d3f4a992fcf0622d27256cb4766b32168e57229699c2c97e3cd1b37dee853
|
7
|
+
data.tar.gz: 774dcfcfc185696fb6ac454c649be5207812d04ea4f8c533846846254834a3f6e05f7eb5e8e5c03bb5b4669aee3d9ec527623f717b61cee390e3ee4186a8148b
|
data/.circleci/config.yml
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,11 +1,11 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
dependency_spy (0.
|
4
|
+
dependency_spy (0.2.0)
|
5
5
|
bibliothecary (~> 6.3)
|
6
6
|
semantic_range (~> 2.1)
|
7
7
|
thor (~> 0.20)
|
8
|
-
yavdb (~> 0.
|
8
|
+
yavdb (~> 0.2)
|
9
9
|
|
10
10
|
GEM
|
11
11
|
remote: https://rubygems.org/
|
@@ -89,7 +89,7 @@ GEM
|
|
89
89
|
typhoeus (1.3.0)
|
90
90
|
ethon (>= 0.9.0)
|
91
91
|
unicode-display_width (1.4.0)
|
92
|
-
yavdb (0.
|
92
|
+
yavdb (0.2.0)
|
93
93
|
json (~> 2.1)
|
94
94
|
kramdown (~> 1.17)
|
95
95
|
oga (~> 2.15)
|
data/README.md
CHANGED
@@ -4,11 +4,11 @@
|
|
4
4
|
[](https://www.codacy.com/app/rtfpessoa/dependency_spy?utm_source=github.com&utm_medium=referral&utm_content=rtfpessoa/dependency_spy&utm_campaign=Badge_Coverage)
|
5
5
|
[](https://circleci.com/gh/rtfpessoa/dependency_spy)
|
6
6
|
|
7
|
-
Finds known vulnerabilities in your dependencies
|
7
|
+
Finds known vulnerabilities in your dependencies using [yavdb](https://github.com/rtfpessoa/yavdb) as the source agregator of vulnerabilities.
|
8
8
|
|
9
9
|
Thanks to the amazing work done by [libraries.io](https://libraries.io/) all the dependency manifest parsing is
|
10
10
|
handled by [bibliothecary](https://github.com/librariesio/bibliothecary) and this means we have support for more than 20
|
11
|
-
package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed
|
11
|
+
package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in [yavdb](https://github.com/rtfpessoa/yavdb#yet-another-vulnerability-database).
|
12
12
|
|
13
13
|
## Disclaimer
|
14
14
|
|
@@ -30,15 +30,14 @@ Use as a complement to other tools at your own risk.
|
|
30
30
|
## Prerequisites
|
31
31
|
|
32
32
|
* Ruby 2.3 or newer
|
33
|
+
* Bundler `gem install bundler`
|
33
34
|
|
34
35
|
## Installation
|
35
36
|
|
36
37
|
```sh
|
37
|
-
gem install dependency_spy
|
38
|
+
gem install dependency_spy
|
38
39
|
```
|
39
40
|
|
40
|
-
> Notice the `--pre` in the end
|
41
|
-
|
42
41
|
## Usage
|
43
42
|
|
44
43
|
### Examples
|
@@ -56,6 +55,7 @@ depspy
|
|
56
55
|
|
57
56
|
#### Features/Improvements
|
58
57
|
|
58
|
+
- [ ] Ignore vulnerabilities
|
59
59
|
- [ ] Improve output formatters
|
60
60
|
- [ ] Add more output options
|
61
61
|
|
data/dependency_spy.gemspec
CHANGED
@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
|
|
38
38
|
spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
|
39
39
|
spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
|
40
40
|
spec.add_runtime_dependency 'thor', ['~> 0.20']
|
41
|
-
spec.add_runtime_dependency 'yavdb', ['~> 0.
|
41
|
+
spec.add_runtime_dependency 'yavdb', ['~> 0.2']
|
42
42
|
end
|
data/lib/dependency_spy.rb
CHANGED
@@ -28,7 +28,7 @@ require_relative 'dependency_spy/semver'
|
|
28
28
|
module DependencySpy
|
29
29
|
class API
|
30
30
|
|
31
|
-
def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
31
|
+
def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
32
32
|
unless File.exist?(database_path)
|
33
33
|
puts 'Could not find local vulnerability database, going to download the database.'
|
34
34
|
YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
@@ -36,7 +36,9 @@ module DependencySpy
|
|
36
36
|
|
37
37
|
path = File.expand_path(path)
|
38
38
|
package_managers = find_platform(platform)
|
39
|
-
file_list = if
|
39
|
+
file_list = if !files.nil?
|
40
|
+
files.split(',')
|
41
|
+
elsif File.file?(path)
|
40
42
|
path = File.dirname(path)
|
41
43
|
[File.basename(path)]
|
42
44
|
else
|
@@ -61,9 +63,11 @@ module DependencySpy
|
|
61
63
|
unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
|
62
64
|
patched = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
|
63
65
|
|
64
|
-
|
65
|
-
|
66
|
-
|
66
|
+
if unaffected || patched
|
67
|
+
false
|
68
|
+
else
|
69
|
+
vulnerable
|
70
|
+
end
|
67
71
|
end
|
68
72
|
|
69
73
|
Dependency.new(package_name, version, type, vulnerabilities.uniq)
|
data/lib/dependency_spy/cli.rb
CHANGED
@@ -40,13 +40,14 @@ module DependencySpy
|
|
40
40
|
|
41
41
|
desc('check', 'Check dependencies for known vulnerabilities')
|
42
42
|
method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
|
43
|
+
method_option('files', :type => :string)
|
43
44
|
method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
|
44
45
|
method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
|
45
46
|
method_option('output-path', :aliases => :o, :type => :string)
|
46
47
|
method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
|
47
48
|
|
48
49
|
def check
|
49
|
-
manifests = API.check(options['path'], options['platform'], options['database-path'])
|
50
|
+
manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'])
|
50
51
|
|
51
52
|
formatted_output =
|
52
53
|
FORMATTERS
|
@@ -58,6 +59,11 @@ module DependencySpy
|
|
58
59
|
else
|
59
60
|
DependencySpy::Outputs::StdOut.write(formatted_output)
|
60
61
|
end
|
62
|
+
|
63
|
+
has_vulnerabilities =
|
64
|
+
manifests.any? { |manifest| manifest.dependencies.any? { |dependency| dependency.vulnerabilities.any? } }
|
65
|
+
|
66
|
+
exit(1) if has_vulnerabilities
|
61
67
|
end
|
62
68
|
|
63
69
|
method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependency_spy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-10-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -170,14 +170,14 @@ dependencies:
|
|
170
170
|
requirements:
|
171
171
|
- - "~>"
|
172
172
|
- !ruby/object:Gem::Version
|
173
|
-
version: '0.
|
173
|
+
version: '0.2'
|
174
174
|
type: :runtime
|
175
175
|
prerelease: false
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
177
177
|
requirements:
|
178
178
|
- - "~>"
|
179
179
|
- !ruby/object:Gem::Version
|
180
|
-
version: '0.
|
180
|
+
version: '0.2'
|
181
181
|
description: "\n Finds known vulnerabilities in your dependencies\n Using rubysec/ruby-advisory-db,
|
182
182
|
snyk.io, ossindex.net, nodesecurity.io\n "
|
183
183
|
email:
|