diffense 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1421ed8ba3bcde63fa7a0e15afc0448aa26e399eff063583859eddda19b99bda
+  data.tar.gz: 5c60bdf597124c0246f0d96a503858fa8c5b43b7fa2624f9c2dad5a8cf86fae8
+SHA512:
+  metadata.gz: '049401c348f364422039d6979e0cae7d6eb8d67164868cffb859287839147c920c74e37cc45ed4f9995a37c22d466fc740bd876979a60f58b3d876530e470743'
+  data.tar.gz: 5d2e5fad1bc5a9ed30e6b64cf55f7755b5835a98d56f0063ae1bb875efaeddf87c61e8b081f2901fc9fdffc987a963ec0df4a797da7b58abe746bd6a2b81a52a

data/.circleci/config.yml

@@ -0,0 +1,25 @@
+version: 2
+
+jobs:
+  coditsu:
+    machine: true
+    steps:
+      - checkout
+      - run: \curl -sSL https://api.coditsu.io/run/ci | bash
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - coditsu
+
+  nightly:
+    triggers:
+      - schedule:
+          cron: '0 0 * * *'
+          filters:
+            branches:
+              only:
+                - master
+    jobs:
+      - coditsu

data/.coditsu/ci.yml

@@ -0,0 +1,3 @@
+repository_id: 'aa9fa8a4-3b65-4b4b-b066-bc66046068b4'
+api_key: <%= ENV['CODITSU_API_KEY'] %>
+api_secret: <%= ENV['CODITSU_API_SECRET'] %>

data/.gitignore

@@ -0,0 +1,51 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+.coditsu/local.yml

data/.ruby-version

@@ -0,0 +1 @@
+2.7.1

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,20 @@
+PATH
+  remote: .
+  specs:
+    bundler-security (0.1.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rake (13.0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  bundler-security!
+  rake
+
+BUNDLED WITH
+   2.1.4

data/LICENSE

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

data/README.md

@@ -0,0 +1,19 @@
+# Coditsu::BundlerSecurity
+
+A bundler plugin that checks if it's secure to install your dependencies.
+
+## Installation
+
+    $ bundle plugin install bundler-security
+
+## Usage
+
+It automatically hooks up to your `bundle` commands.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/coditsu/bundler-security.
+
+## License
+
+The gem is available as open source under the terms of the [LGPL-3.0](https://github.com/coditsu/bundler-security/blob/master/LICENSE).

data/certs/mensfeld.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEODCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhtYWNp
+ZWovREM9bWVuc2ZlbGQvREM9cGwwHhcNMTkwNzMwMTQ1NDU0WhcNMjAwNzI5MTQ1
+NDU0WjAjMSEwHwYDVQQDDBhtYWNpZWovREM9bWVuc2ZlbGQvREM9cGwwggGiMA0G
+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC9fCwtaHZG2SyyNXiH8r0QbJQx/xxl
+dkvwWz9QGJO+O8rEx20FB1Ab+MVkfOscwIv5jWpmk1U9whzDPl1uFtIbgu+sk+Zb
+uQlZyK/DPN6c+/BbBL+RryTBRyvkPLoCVwm7uxc/JZ1n4AI6eF4cCZ2ieZ9QgQbU
+MQs2QPqs9hT50Ez/40GnOdadVfiDDGz+NME2C4ms0BriXwZ1tcRTfJIHe2xjIbbb
+y5qRGfsLKcgMzvLQR24olixyX1MR0s4+Wveq3QL/gBhL4veUcv+UABJA8IJR0kyB
+seHHutusiwZ1v3SjjjW1xLLrc2ARV0mgCb0WaK2T4iA3oFTGLh6Ydz8LNl31KQFv
+94nRd8IhmJxrhQ6dQ/WT9IXoa5S9lfT5lPJeINemH4/6QPABzf9W2IZlCdI9wCdB
+TBaw57MKneGAYZiKjw6OALSy2ltQUCl3RqFl3VP7n8uFy1U987Q5VIIQ3O1UUsQD
+Oe/h+r7GUU4RSPKgPlrwvW9bD/UQ+zF51v8CAwEAAaN3MHUwCQYDVR0TBAIwADAL
+BgNVHQ8EBAMCBLAwHQYDVR0OBBYEFJNIBHdfEUD7TqHqIer2YhWaWhwcMB0GA1Ud
+EQQWMBSBEm1hY2llakBtZW5zZmVsZC5wbDAdBgNVHRIEFjAUgRJtYWNpZWpAbWVu
+c2ZlbGQucGwwDQYJKoZIhvcNAQELBQADggGBAKA4eqko6BTNhlysip6rfBkVTGri
+ZXsL+kRb2hLvsQJS/kLyM21oMlu+LN0aPj3qEFR8mE/YeDD8rLAfruBRTltPNbR7
+xA5eE1gkxY5LfExUtK3b2wPqfmo7mZgfcsMwfYg/tUXw1WpBCnrhAJodpGH6SXmp
+A40qFUZst0vjiOoO+aTblIHPmMJXoZ3K42dTlNKlEiDKUWMRKSgpjjYGEYalFNWI
+hHfCz2r8L2t+dYdMZg1JGbEkq4ADGsAA8ioZIpJd7V4hI17u5TCdi7X5wh/0gN0E
+CgP+nLox3D+l2q0QuQEkayr+auFYkzTCkF+BmEk1D0Ru4mcf3F4CJvEmW4Pzbjqt
+i1tsCWPtJ4E/UUKnKaWKqGbjrjHJ0MuShYzHkodox5IOiCXIQg+1+YSzfXUV6WEK
+KJG/fhg1JV5vVDdVy6x+tv5SQ5ctU0feCsVfESi3rE3zRd+nvzE9HcZ5aXeL1UtJ
+nT5Xrioegu2w1jPyVEgyZgTZC5rvD0nNS5sFNQ==
+-----END CERTIFICATE-----

data/diffense.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'bundler/security/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'diffense'
+  spec.version       = Bundler::Security::VERSION
+  spec.authors       = ['Tomasz Pajor']
+  spec.email         = ['tomek@coditsu.io']
+
+  spec.summary       = 'Bundler Security'
+  spec.description   = 'Bundler Security'
+  spec.homepage      = Bundler::Security::HOMEPAGE
+  spec.license       = 'MIT'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec)/}) }
+  spec.require_paths = %w[lib]
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+end

data/lib/bundler/security.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+%w[
+  bundler
+].each(&method(:require))
+
+%w[
+  config/fetcher
+  config/file_finder
+  commands
+  version
+  errors
+  voting
+].each { |file| require "bundler/security/#{file}" }
+
+%w[
+  build_unsafe_gem
+  build_success
+  build_failure
+  gem_policy
+  remote_policy
+  request
+  versions/local
+  versions/remote
+].each { |file| require "bundler/security/voting/#{file}" }
+
+# Bundler main namespace
+module Bundler
+  # Plugin responsible for safe gem installation
+  module Security
+    class << self
+      # Registers the plugin and add before install all hook
+      def register
+        return if defined?(@registered) && @registered
+
+        @registered = true
+
+        Bundler::Plugin.add_hook('before-install-all') do |_|
+          Bundler::Security::Voting.call(
+            command,
+            build_definition
+          )
+        end
+      end
+
+      # Build clean instance of bundler definition, as we don't want to pollute the main one
+      #
+      # @return [Bundler::Definition]
+      def build_definition
+        Bundler.configure
+
+        Bundler::Definition.build(
+          Bundler.default_gemfile,
+          Bundler.default_lockfile,
+          true
+        )
+      end
+
+      # Command that was run with bundle
+      #
+      # @return [String]
+      def command
+        ARGV
+          .first
+          .then { |value| value || Bundler::Security::Commands::INSTALL }
+      end
+    end
+  end
+end

data/lib/bundler/security/commands.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Modules grouping supported bundler commands
+    module Commands
+      # Install bundler command
+      INSTALL = 'install'
+      # Update bundler command
+      UPDATE = 'update'
+    end
+  end
+end

data/lib/bundler/security/config/fetcher.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Module for all the components related to setting up the config
+    module Config
+      # Class responsible for fetching the config from .coditsu.yml
+      module Fetcher
+        class << self
+          # @param build_path [String] path of the current build
+          # @return [OpenStruct] open struct with config details
+          # @example
+          #   details = Fetcher.new.call('./')
+          #   details.build_path #=> './'
+          def call(build_path)
+            FileFinder
+              .call(build_path)
+              .then(&File.method(:read))
+              .then(&ERB.method(:new))
+              .then(&:result)
+              .then(&YAML.method(:load))
+              .then { |data| data.merge(build_path: build_path) }
+              .then(&OpenStruct.method(:new))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/config/file_finder.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Config
+      # Class used to figure out the file from which we should load the settings
+      module FileFinder
+        # Names of the files or paths where we will look for the settings
+        #
+        # @note We do the double dot trick, to look outside of the current dir because when
+        #   executed from a docker container, we copy the local uncommitted settings into the
+        #   dir above the app location not to pollute the reset state of the git repo
+        #
+        # @note Order is important, as for local env we should load from
+        #   local file (if present first)
+        FILE_NAMES = %w[
+          .coditsu/local.yml
+          .coditsu/ci.yml
+          .coditsu/*.yml
+          .coditsu.yml
+        ].map { |name| ["../#{name}", name] }.tap(&:flatten!).freeze
+
+        private_constant :FILE_NAMES
+
+        class << self
+          # Looks for coditsu settings file for a given env
+          #
+          # @param build_path [String] path of the current build
+          #
+          # @return [String] path to the file from which we should load all the settings
+          def call(build_path)
+            FILE_NAMES
+              .map { |name| File.join(build_path, name) }
+              .map { |name| Dir[name] }
+              .find { |selection| !selection.empty? }
+              .tap { |path| path || raise(Errors::MissingConfigurationFile) }
+              .first
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/errors.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Build runner app errors
+    module Errors
+      # Base error class from which all the errors should inherit
+      BaseError = Class.new(StandardError)
+      # Raised when we couldn't find a valid configuration file
+      MissingConfigurationFile = Class.new(BaseError)
+      # When we receive invalid remote versions type
+      InvalidRemoteVersionsType = Class.new(BaseError)
+    end
+  end
+end

data/lib/bundler/security/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Current BundlerSecurity version
+    VERSION = '0.1.1'
+    # Coditsu differ homepage
+    HOMEPAGE = 'https://diff.coditsu.io'
+  end
+end

data/lib/bundler/security/voting.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Verifies voting verdicts for gems
+    module Voting
+      class << self
+        # Build verdict
+        #
+        # @param command [String] either install or update
+        # @param definition [Bundler::Definition] definition for your source
+        def call(command, definition)
+          remote_data(command, definition)
+            .then { |policy, gems| [policy, build_gems(policy, gems)] }
+            .then { |policy, errors| build_status(policy.type, command, errors) }
+        end
+
+        # Build gems that don't have enough approvals
+        #
+        # @param policy [Voting::RemotePolicy] remote policy settings
+        # @param gems [Hash] remote gem statistics
+        #
+        # @return [Array] gems that don't have enough approvals based on remote policy
+        def build_gems(policy, gems)
+          gems.each_with_object([]) do |(name, data), errors|
+            gem_policy = GemPolicy.new(name, data, policy)
+
+            next if gem_policy.approved?
+            next unless gem_policy.rejected?
+
+            errors << BuildUnsafeGem.call(gem_policy)
+          end
+        end
+
+        # Fetch data from the differ
+        #
+        # @param command [String] either install or update
+        # @param definition [Bundler::Definition]
+        def remote_data(command, definition)
+          Versions::Remote
+            .call(command, definition)
+            .yield_self { |response| [build_remote_policy(response['policy']), response['gems']] }
+        end
+
+        # Build remote policy based on Coditsu differ settings
+        #
+        # @param policy [Hash] remote policy settings
+        #
+        # @return [Voting::RemotePolicy]
+        def build_remote_policy(policy)
+          RemotePolicy.new(
+            policy['type'], policy['threshold']
+          )
+        end
+
+        # Build security verdict
+        #
+        # @param remote_policy_type [String]
+        # @param command [String] either install or update
+        # @param errors [Array] detected security errors
+        def build_status(remote_policy_type, command, errors)
+          if errors.empty?
+            BuildSuccess.call(remote_policy_type, command)
+          else
+            BuildFailure.call(remote_policy_type, command, errors)
+            exit 1
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_failure.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Build failure security verdict
+      module BuildFailure
+        class << self
+          # Prints failure security verdict
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          # @param errors [Array] detected security errors
+          def call(policy_type, command, errors)
+            Bundler.ui.error(
+              build(policy_type, command, errors)
+            )
+          end
+
+          # Builds failure security verdict message
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          # @param errors [Array] detected security errors
+          #
+          # @return [String]
+          def build(policy_type, command, errors)
+            [
+              "\n",
+              message_type(policy_type),
+              ", blocking #{command}",
+              "\n\n",
+              errors.join("\n"),
+              "\n\n"
+            ].join
+          end
+
+          # Builds a message based on policy type
+          #
+          # @param policy_type [String]
+          #
+          # @return [String]
+          #
+          # @raise InvalidPolicyType if policy type was not recognized
+          def message_type(policy_type)
+            case policy_type
+            when 'organization'
+              'Not enough reviews on your organization'
+            when 'community'
+              'Not enough reviews in the community'
+            else
+              raise InvalidPolicyType, policy_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_success.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Build successful security verdict
+      module BuildSuccess
+        class << self
+          # Prints successful security verdict
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          def call(policy_type, command)
+            Bundler.ui.confirm(
+              build(policy_type, command)
+            )
+          end
+
+          # Builds successful security verdict message
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          #
+          # @return [String]
+          def build(policy_type, command)
+            [
+              "\n",
+              message_type(policy_type),
+              ", commencing #{command}",
+              "\n\n"
+            ].join
+          end
+
+          # Builds a message based on policy type
+          #
+          # @param policy_type [String]
+          #
+          # @return [String]
+          #
+          # @raise InvalidPolicyType if policy type was not recognized
+          def message_type(policy_type)
+            case policy_type
+            when 'organization'
+              'All gems approved by your organization'
+            when 'community'
+              'All gems approved by community'
+            else
+              raise InvalidPolicyType, policy_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_unsafe_gem.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for building unsafe gem details
+      module BuildUnsafeGem
+        # Differ url
+        DIFF_URL = 'https://diff.coditsu.io/gems'
+
+        class << self
+          # Builds details of an unsafe gem
+          #
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def call(gem_policy)
+            [
+              gem_policy.name,
+              gem_policy.new_version? ? gem_policy.new_version : gem_policy.current_version,
+              '-',
+              [
+                approved(gem_policy.remote_policy, gem_policy),
+                rejected(gem_policy.remote_policy, gem_policy)
+              ].compact.join(', ')
+            ].join(' ')
+          end
+
+          # Builds safe details
+          #
+          # @param remote_policy [Voting::RemotePolicy]
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def approved(remote_policy, gem_policy)
+            return if gem_policy.approved?
+
+            array = []
+            array << "approved (#{gem_policy.approved} expected #{remote_policy.approved})"
+            array << differ_url(gem_policy)
+            array.join(' ')
+          end
+
+          # Builds malicious details
+          #
+          # @param remote_policy [Voting::RemotePolicy]
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def rejected(remote_policy, gem_policy)
+            return if gem_policy.rejected?
+
+            array = []
+            array << "rejected (#{gem_policy.rejected} expected #{remote_policy.rejected})"
+            array << differ_url(gem_policy)
+            array.join(' ')
+          end
+
+          # Builds differ url for gem with version details
+          #
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def differ_url(gem_policy)
+            array = [DIFF_URL, gem_policy.name, gem_policy.current_version]
+            array << gem_policy.new_version if gem_policy.new_version?
+            array.join('/')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/gem_policy.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Gem policy with statistics from Coditsu differ
+      class GemPolicy
+        attr_reader :name, :current_version, :new_version, :remote_policy
+
+        # Build gem policy
+        #
+        # @param name [String] gem name
+        # @param gem_data [Array] gem version and statistics from Coditsu
+        # @param remote_policy [Voting::RemotePolicy]
+        def initialize(name, gem_data, remote_policy)
+          @name = name
+          @new_version = nil
+
+          versions = gem_data.first
+
+          raise Errors::InvalidRemoteVersionsType, versions.class unless versions.is_a?(Array)
+
+          @current_version = versions.first.empty? ? versions.last : versions.first
+          @new_version = versions.last if @current_version != versions.last
+
+          @remote_policy = remote_policy
+          @threshold = gem_data.last[remote_policy.type]
+        end
+
+        # How many time gem was marked as safe
+        #
+        # @return [Integer]
+        def approved
+          @threshold['up'].to_i
+        end
+
+        # How many time gem was marked as malicious
+        #
+        # @return [Integer]
+        def rejected
+          @threshold['down'].to_i
+        end
+
+        # Checks if a gem is safe based on a remote policy
+        #
+        # @return [Boolean] true if it's safe, false otherwise
+        def approved?
+          approved >= @remote_policy.approved
+        end
+
+        # Checks if a gem is malicious based on a remote policy
+        #
+        # @return [Boolean] true if it's malicious, false otherwise
+        def rejected?
+          @remote_policy.rejected >= rejected
+        end
+
+        # Check if a new version was requested
+        #
+        # @return [Boolean] true if new version was requested, false otherwise
+        def new_version?
+          !@new_version.nil?
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/remote_policy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Remote policy settings from Coditsu
+      RemotePolicy = Struct.new(:type, :threshold) do
+        # How many time gem was marked as safe
+        #
+        # @return [Integer]
+        def approved
+          threshold['up'].to_i
+        end
+
+        # How many time gem was marked as malicious
+        #
+        # @return [Integer]
+        def rejected
+          threshold['down'].to_i
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/request.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'openssl'
+require 'json'
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for doing request to Coditsu differ
+      module Request
+        # Differ endpoint url
+        ENDPOINT_URL = 'https://diff.coditsu.io/api/bundler.json'
+        # Request headers
+        HEADERS = { 'Content-Type': 'application/json' }.freeze
+
+        private_constant :ENDPOINT_URL, :HEADERS
+
+        class << self
+          # Execute request to the differ
+          #
+          # @param config [OpenStruct] Coditsu config
+          # @param payload [Hash] with versions to check
+          #
+          # @return [Net::HTTPResponse] response from Coditsu differ
+          def call(config, payload)
+            build_http do |http, uri|
+              http.request(build_request(uri, config, payload))
+            end
+          end
+
+          # Builds http connection object
+          def build_http
+            uri = URI(differ_url)
+
+            Net::HTTP.start(
+              uri.host,
+              uri.port,
+              use_ssl: uri.scheme == 'https',
+              verify_mode: OpenSSL::SSL::VERIFY_NONE
+            ) { |http| yield(http, uri) }
+          end
+
+          # Build http post request and assigns headers and payload
+          #
+          # @param uri [URI::HTTPS]
+          # @param config [OpenStruct] Coditsu config
+          # @param payload [Hash] with versions to check
+          #
+          # @return [Net::HTTP::Post]
+          def build_request(uri, config, payload)
+            Net::HTTP::Post
+              .new(uri.request_uri, HEADERS)
+              .tap { |request| assign_auth(request, config) }
+              .tap { |request| assign_payload(request, payload) }
+          end
+
+          # Assigns basic authorization if provided in the config
+          #
+          # @param request [Net::HTTP::Post] prepared http post
+          # @param config [OpenStruct] Coditsu config
+          def assign_auth(request, config)
+            return unless config
+            return unless config.api_key
+            return unless config.api_secret
+
+            request.basic_auth(config.api_key, config.api_secret)
+          end
+
+          # Assigns payload as json
+          #
+          # @param request [Net::HTTP::Post] prepared http post
+          # @param payload [Hash] with versions to check
+          def assign_payload(request, payload)
+            request.body = JSON.dump(payload)
+          end
+
+          # Provides differ endpoint url
+          #
+          # @return [String]
+          def differ_url
+            ENV['CODITSU_DIFFER_URL'] || ENDPOINT_URL
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/versions/local.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for handling both local and remote gem versions
+      module Versions
+        # Module responsible for preparing current or current/new versions of gems
+        module Local
+          class << self
+            # Definition of a local path, if it matches it means that we are the source
+            ME_PATH = '.'
+            # Sources that we expect to match ourselves too
+            ME_SOURCES = [
+              Bundler::Source::Gemspec,
+              Bundler::Source::Path
+            ].freeze
+
+            # @param command [String] either install or update
+            # @param definition [Bundler::Definition] definition for your source
+            def call(command, definition)
+              Bundler.ui.silence { definition.resolve_remotely! }
+
+              case command
+              when Commands::INSTALL then build_install(definition)
+              when Commands::UPDATE then build_update(definition)
+              else
+                raise ArgumentError, "invalid command: #{command}"
+              end
+            end
+
+            private
+
+            # @param definition [Bundler::Definition] definition for your source
+            def build_install(definition)
+              requested_specs = definition.requested_specs
+              # Support case without Gemfile.lock
+              if definition.locked_gems
+                locked_specs = definition.locked_gems.specs
+                introduced = requested_specs.map(&:name) - locked_specs.map(&:name)
+                introduced_specs = requested_specs.select { |spec| introduced.include?(spec.name) }
+                introduced_specs.concat(locked_specs)
+              else
+                introduced_specs = requested_specs
+              end
+
+              introduced_specs.each_with_object({}) do |spec, hash|
+                next if skip?(spec.source)
+
+                hash[spec.name] = ['', spec.version.to_s]
+              end
+            end
+
+            # @param definition [Bundler::Definition] definition for your source
+            def build_update(definition)
+              locked_specs = definition.locked_gems.specs
+
+              definition.requested_specs.each_with_object({}) do |spec, hash|
+                next if skip?(spec.source)
+
+                locked_spec = locked_specs.find { |s| s.name == spec.name }
+
+                hash[spec.name] = if locked_spec
+                                    [locked_spec.version.to_s, spec.version.to_s]
+                                  else
+                                    ['', spec.version.to_s]
+                                  end
+              end
+            end
+
+            # Checks if we should skip a source
+            #
+            # @param source [Bundler::Source::Git, Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if we should skip this source, false otherwise
+            def skip?(source)
+              return true if git?(source)
+              return true if me?(source)
+
+              false
+            end
+
+            # Checks if it's a git source
+            #
+            # @param source [Bundler::Source::Git, Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if it's a git source, false otherwise
+            def git?(source)
+              source.instance_of?(Bundler::Source::Git)
+            end
+
+            # Checks if it's a self source, this happens for repositories that are a gem
+            #
+            # @param source [Bundler::Source::Path,Bundler::Source::Git,Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if it's a self source, false otherwise
+            def me?(source)
+              return false unless ME_SOURCES.include?(source.class)
+
+              source.path.to_s == ME_PATH
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/versions/remote.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for handling both local and remote gem versions
+      module Versions
+        # Module responsible for fetching safe/malicious votes
+        # for current or current/new versions of gems
+        module Remote
+          # Differ bundler url
+          ENDPOINT_URL = 'https://diff.coditsu.io/api/bundler.json'
+
+          private_constant :ENDPOINT_URL
+
+          class << self
+            # @param command [String] either install or update
+            # @param definition [Bundler::Definition] definition for your source
+            def call(command, definition)
+              config = fetch_config
+
+              Request
+                .call(config, payload(command, config&.repository_id, definition))
+                .then { |response| JSON.parse(response.body) }
+            end
+
+            # @param command [String] either install or update
+            # @param repository_id [String] coditsu repository_id
+            # @param definition [Bundler::Definition] definition for your source
+            #
+            # @return [Hash] payload for differ bundler endpoint
+            def payload(command, repository_id, definition)
+              Local.call(command, definition).each_with_object({}) do |(name, versions), hash|
+                hash[:data] ||= {}
+                hash[:data][:repository_id] = repository_id if repository_id
+                hash[:data][:gems] ||= {}
+                hash[:data][:gems][name] = versions
+              end
+            end
+
+            # Fetch coditsu config file
+            #
+            # @return [OpenStruct, nil] configuration object
+            #
+            # @raise [Errors::MissingConfigurationFile] when no config file
+            def fetch_config
+              Config::Fetcher.call(
+                File.expand_path('..', Bundler.bin_path)
+              )
+            rescue Errors::MissingConfigurationFile
+              nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/plugins.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require 'bundler/security'
+
+Bundler::Security.register

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: diffense
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Tomasz Pajor
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-05-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Bundler Security
+email:
+- tomek@coditsu.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".coditsu/ci.yml"
+- ".gitignore"
+- ".ruby-version"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- certs/mensfeld.pem
+- diffense.gemspec
+- lib/bundler/security.rb
+- lib/bundler/security/commands.rb
+- lib/bundler/security/config/fetcher.rb
+- lib/bundler/security/config/file_finder.rb
+- lib/bundler/security/errors.rb
+- lib/bundler/security/version.rb
+- lib/bundler/security/voting.rb
+- lib/bundler/security/voting/build_failure.rb
+- lib/bundler/security/voting/build_success.rb
+- lib/bundler/security/voting/build_unsafe_gem.rb
+- lib/bundler/security/voting/gem_policy.rb
+- lib/bundler/security/voting/remote_policy.rb
+- lib/bundler/security/voting/request.rb
+- lib/bundler/security/voting/versions/local.rb
+- lib/bundler/security/voting/versions/remote.rb
+- plugins.rb
+homepage: https://diff.coditsu.io
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Bundler Security
+test_files: []