dobby 0.1.0 → 0.1.2

data/lib/dobby/formatter/formatter_set.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Dobby
+  module Formatter
+    class FormatterSet < Array
+      BUILTIN_FORMATTERS = {
+        'simple' => SimpleFormatter,
+        'json' => JSONFormatter
+      }.freeze
+
+      FORMATTER_APIS = %i[started finished file_started].freeze
+
+      FORMATTER_APIS.each do |method_name|
+        define_method(method_name) do |*args|
+          each { |f| f.send(method_name, *args) }
+        end
+      end
+
+      def initialize(options = {})
+        @options = options
+      end
+
+      def file_finished(file, results)
+        each { |f| f.file_finished(file, results) }
+        results
+      end
+
+      def add_formatter(type, output_path = nil)
+        if output_path
+          dir_path = File.dirname(output_path)
+          FileUtils.mkdir_p(dir_path) unless File.exist?(dir_path)
+          output = File.open(output_path, 'w')
+        else
+          output = $stdout
+        end
+
+        self << formatter_class(type).new(output, @options)
+      end
+
+      def close_output_files
+        each do |formatter|
+          formatter.output.close if formatter.output.is_a?(File)
+        end
+      end
+
+      private
+
+      def formatter_class(formatter_type)
+        case formatter_type
+        when Class
+          formatter_type
+        when /\A[A-Z]/
+          custom_formatter_class(formatter_type)
+        else
+          builtin_formatter_class(formatter_type)
+        end
+      end
+
+      def builtin_formatter_class(specified_key)
+        matching = BUILTIN_FORMATTERS.keys.select do |key|
+          key.start_with?(specified_key)
+        end
+
+        raise %(No formatter for "#{specified_key}") if matching.empty?
+        raise %(Cannot determine formatter for "#{specified_key}") if matching.size > 1
+
+        BUILTIN_FORMATTERS[matching.first]
+      end
+
+      def custom_formatter_class(specified_class_name)
+        constant_names = specified_class_name.split('::')
+        constant_names.shift if constant_names.first.empty?
+        constant_names.reduce(Object) do |namespace, constant_name|
+          namespace.const_get(constant_name, false)
+        end
+      end
+    end
+  end
+end

data/lib/dobby/formatter/json_formatter.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Dobby
+  module Formatter
+    # Outputs results as JSON
+    class JSONFormatter < AbstractFormatter
+      def started(_target_files)
+        @results = {}
+      end
+
+      def file_started(file)
+        @results[file] = []
+      end
+
+      def file_finished(file, results)
+        return if results.empty?
+
+        @results[file] = each_completed_result(results)
+      end
+
+      def finished(_files)
+        output.puts(Oj.dump(@results, mode: :strict))
+      end
+
+      private
+
+      def each_completed_result(results)
+        results.map do |package, defects|
+          {
+            package: package.name,
+            version: package.version,
+            defects: serialize_each_defect(defects)
+          }
+        end
+      end
+
+      def serialize_each_defect(defects)
+        defects.sort_by(&:severity).map(&:to_hash)
+      end
+    end
+  end
+end

data/lib/dobby/formatter/simple_formatter.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Dobby
+  module Formatter
+    # Outputs simple text, possibly colored
+    class SimpleFormatter < AbstractFormatter
+      include Colorizable
+
+      def file_finished(_file, results)
+        return if results.empty?
+
+        each_completed_result(results)
+      end
+
+      private
+
+      def each_completed_result(results)
+        results.each do |package, defects|
+          output.puts
+          print_package(package)
+          print_each_defect(defects)
+        end
+      end
+
+      def print_package(package)
+        output.puts(package)
+      end
+
+      def print_each_defect(defects)
+        defects.sort_by(&:severity).each { |d| print_defect(d) }
+      end
+
+      def print_defect(defect)
+        severity = colored_severity(defect.severity)
+        output.printf("\t%-25s %-10s\n", defect.identifier, severity)
+      end
+
+      def colored_severity(severity)
+        case severity
+        when Severity::Negligible, Severity::Low
+          green(severity)
+        when Severity::Medium
+          yellow(severity)
+        when Severity::High
+          magenta(severity)
+        when Severity::Critical
+          red(severity)
+        else
+          white(severity)
+        end
+      end
+    end
+  end
+end

data/lib/dobby/options.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+# Adapted from rubocop's Options:
+# Copyright (c) 2012-18 Bozhidar Batsov
+# Additional modifications Copyright (c) 2018 Joe Truba
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+
+module Dobby
+  # Parsing of command line options and arguments.
+  class Options
+    EXITING_OPTIONS = %i[version verbose_version].freeze
+
+    def initialize
+      @options = {}
+    end
+
+    def parse(cli_args)
+      args = args_from_file.concat(args_from_env).concat(cli_args)
+      define_options.parse!(args)
+      args << '/var/lib/dpkg/status' if args.empty?
+      [@options, args]
+    end
+
+    private
+
+    def args_from_file
+      if File.exist?('.dobby') && !File.directory?('.dobby')
+        IO.readlines('.dobby').map(&:strip)
+      else
+        []
+      end
+    end
+
+    def args_from_env
+      Shellwords.split(ENV.fetch('DEBSECAN_OPTS', ''))
+    end
+
+    def define_options
+      OptionParser.new do |opts|
+        opts.program_name = 'meraki-dobby'
+        opts.banner = <<-BANNER.strip_indent
+          Usage: dobby [options] [file1, file2, ...]
+                 dobby -o file [file1, file2, ...]
+                 dobby -f simple -f json -o bar [file1, file2, ...]
+
+        BANNER
+
+        add_boolean_options(opts)
+        add_formatting_options(opts)
+        add_configuration_options(opts)
+        add_strategy_options(opts)
+      end
+    end
+
+    # Sets a value in the @options hash, based on the given long option and its
+    # value, in addition to calling the block if a block is given.
+    def option(opts, *args)
+      long_opt_symbol = long_opt_symbol(args)
+      args += Array(OptionsHelp::TEXT[long_opt_symbol])
+      opts.on(*args) do |arg|
+        @options[long_opt_symbol] = arg
+        yield arg if block_given?
+      end
+    end
+
+    # Finds the option in `args` starting with -- and converts it to a symbol,
+    # e.g. [..., '--auto-correct', ...] to :auto_correct.
+    def long_opt_symbol(args)
+      long_opt = args.find { |arg| arg.start_with?('--') }
+      long_opt[2..-1].sub('[no-]', '').sub(/ .*/, '')
+                     .tr('-', '_').gsub(/[\[\]]/, '').to_sym
+    end
+
+    def add_formatting_options(opts)
+      option(opts, '-f', '--format FORMATTER') do |f|
+        @options[:formatters] ||= []
+        @options[:formatters] << [f]
+      end
+
+      option(opts, '-o', '--out FILE') do |path|
+        if @options[:formatters]
+          @options[:formatters].last << path
+        else
+          @options[:output_path] = path
+        end
+      end
+    end
+
+    def add_boolean_options(opts)
+      option(opts, '--debug')
+      option(opts, '--fail-fast')
+      option(opts, '--list-target-files')
+      option(opts, '-v', '--version')
+      option(opts, '-V', '--verbose-version')
+      option(opts, '--[no-]color')
+      option(opts, '--[no-]fixed-only')
+    end
+
+    def add_configuration_options(opts)
+      option(opts, '-P', '--package-source PACKAGE-SOURCE')
+      option(opts, '-S', '--vuln-source VULN-SOURCE')
+    end
+
+    def add_strategy_options(opts)
+      Builtins::ALL.each do |strategy|
+        strategy.cli_options.each do |opt|
+          option(opts, *opt)
+        end
+      end
+    end
+  end
+
+  module OptionsHelp
+    TEXT = {
+      color:                 'Force colored output on or off.',
+      format:               ['Choose an output formatter. This option',
+                             'can be specified multiple times to enable',
+                             'multiple formatters at the same time.',
+                             '  [s]imple (default)',
+                             '  [j]son',
+                             '  custom formatter class name'],
+      fail_fast:             'Exit as soon as a defect is discovered.',
+      fixed_only:           ['Only report vulnerabilities which have a fix',
+                             'version noted in the vulnerability source.'],
+      list_target_files:    ['List the package source files that would be inspected',
+                             'and then exit.'],
+      out:                  ['Use with --format to instruct the previous formatter',
+                             'to output to the specified path instead of to stdout.'],
+      package_source:       ['Choose a package source.',
+                             '  [d]pkg (default)',
+                             '  custom package source class name'],
+      vuln_source:          ['Choose a vulnerability source.',
+                             '  [d]ebian (default)',
+                             '  custom vulnerability source class name'],
+      version:               'Display version.',
+      verbose_version:       'Display verbose verison.'
+    }.freeze
+  end
+end

data/lib/dobby/package.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+module Dobby
+  # A Package describes a particular Debian package installation.
+  # Dobby::Package is adapted from Debian::Deb and Debian::Field
+  #   source: https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-debian.git/tree/lib/debian.rb
+  class Package
+    # MaxVersion is a special value which is always sorted first.
+    MAX_VERSION = '|MAX|'
+
+    # MinVersion is a special value which is always sorted last.
+    MIN_VERSION = '|MIN|'
+
+    # A required field was missing during initialization
+    class FieldRequiredError < Error
+      attr_reader :args, :field
+      def initialize(field)
+        super("Missing required field '#{field}'")
+        @field = field
+      end
+    end
+
+    attr_reader :name
+    attr_reader :version
+    attr_reader :release
+    attr_reader :source
+    attr_reader :dist
+    attr_reader :arch
+    attr_reader :target
+    attr_reader :multiarch
+
+    # Set up a new Debian Package
+    #
+    # @param name [String] Package name
+    # @param version [String] Package version
+    # @param source [String] Name of the source package, if applicable
+    #
+    # @raise [FieldRequiredError] if initialized without name or version
+    def initialize(name:, version:, release:, dist: nil, arch: nil, source: nil,
+                   target: nil, multiarch: nil)
+      raise FieldRequiredError, 'name' unless name
+      raise FieldRequiredError, 'version' unless version
+      raise FieldRequiredError, 'release' unless release
+      raise FieldRequiredError, 'arch' if arch.nil? && multiarch == 'same'
+
+      @name = name
+      @version = version
+      @source = source
+      @dist = dist
+      @release = release
+      @arch = arch
+      @target = target
+      @multiarch = multiarch
+    end
+
+    # When a package has multiarch set to same, dpkg and apt will know of it by
+    # a name such as 'libquadmath0:amd64' instead of 'libquadmath0'. In these cases,
+    # return the name alongside the architecture to make it easier to act on results.
+    def apt_name
+      return name unless multiarch == 'same'
+
+      "#{name}:#{arch}"
+    end
+
+    # Compared to some other {Package}, should this Package be filtered from results?
+    #
+    # If filter is set to :default, return true if releases do not match or if my
+    # version is at least the other package's version.
+    #
+    # If filter is set to :target, addtionally return true if my target version is
+    # at least the other's version.
+    #
+    # @param other [Package]
+    # @param filter [Symbol]
+    #
+    # @raise [UnknownFilterError] when given an unknown value for filter
+    def filtered?(other, filter = :default)
+      return true if release != other.release || self >= other
+      return target_at_least?(other) if filter == :target
+      return false if filter == :default
+
+      raise UnknownFilterError, filter
+    end
+
+    # @return [String] String representation of the package.
+    def to_s
+      "#{apt_name} #{version}"
+    end
+
+    # @param version [Package]
+    #
+    # @return [Boolean] True if the target version meets or exceeds the provided
+    #   package version
+    def target_at_least?(version)
+      !target.nil? && version.compare_to(target.to_s) <= 0
+    end
+
+    # @param other [Package]
+    #
+    # @return [Boolean] True if other is present and other.package is the same as self.package
+    def ===(other)
+      other && (name == other.name || source == other.name || name == other.source)
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version is less than other.version
+    def <(other)
+      self === other && compare_to(other.version) < 0
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version is less than or
+    #   equal to other.version
+    def <=(other)
+      self === other && compare_to(other.version) <= 0
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version equals other.version
+    def ==(other)
+      self === other && compare_to(other.version).zero?
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version is greater than or
+    #   equal to other.version
+    def >=(other)
+      self === other && compare_to(other.version) >= 0
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version is greater than other.version
+    def >(other)
+      self === other && compare_to(other.version) > 0
+    end
+
+    # @param other [Package]
+    # @return [Boolean] True if self === other and self.version does not equal other.version
+    def !=(other)
+      self === other && compare_to(other.version) != 0
+    end
+
+    # This method is wrapped by the standard comparison operators, but is provided for cases where
+    #   it is not practical to compare two Package objects.
+    #
+    # @param other [String] Version string
+    # @return [Integer]
+    def compare_to(other)
+      return 0 if version == other
+      return -1 if version == MIN_VERSION || other == MAX_VERSION
+      return 1 if version == MAX_VERSION || other == MIN_VERSION
+
+      Debian::AptPkg.cmp_version(version, other)
+    end
+  end
+end