dobby 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 142cdae9558311a203acb38b453482bd4e75ce9fcf6d801da64d4816b9afcf58
-  data.tar.gz: 0f85b49a7d03f4c97599d155f266010bad43c610aba4e5965568976e3b236588
+  metadata.gz: 23c15914a886f6ab773bf9123073dd7073839ec0d4cdac9c540b14dde7bcaaeb
+  data.tar.gz: fc562ad46721be21d3fef9069284d94ff01eab45128717d4d618cb8e7273ee68
 SHA512:
-  metadata.gz: e0782eacf803d612e2c1d261063016de084ba58102df9416dff0bbdb16b23c8085027b515c4fe959a079f5392045e2b279df1e1fff1750b6f893bf4a0b2caecf
-  data.tar.gz: 5a64a64e3d559be8996e41dac99f44b22b42fc4fb02075b7a319855ee95060c8a4a6d9f6b8a01e2e279c52c8ce636360773ea4fbc4554966b737fc53d21d6c77
+  metadata.gz: 487605c97b5052aa3731f9f92509cea471bb892ed6e72beb1f87f591e485c8993dd727d807dff7ff0454b0737268d9990756edc6d2758386035b963aed13d515
+  data.tar.gz: '09022e4f223629ebfb9d52e6bbc3140a710a9bb10b8dbc27c2eb0d5d8583db774cc4ffb58b869b5d6407a2acb5c4608acf4cc01c108f8fd3b60ee1c9802f3f05'

data/.gitignore

@@ -0,0 +1,16 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+
+.byebug_history
+.rspec
+
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,30 @@
+inherit_from: .rubocop_todo.yml
+
+AllCops:
+  AllowSymlinksInCacheRootDirectory: true
+  TargetRubyVersion: 2.3
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+
+Metrics/LineLength:
+  Max: 100
+
+Metrics/ParameterLists:
+  Exclude:
+    - 'lib/dobby/package.rb'
+
+Style/CaseEquality:
+  Exclude:
+    - 'lib/dobby/package.rb'
+    - 'spec/dobby/package_spec.rb'
+
+Style/NumericPredicate:
+  Exclude:
+    - 'spec/**/*'
+    - 'lib/dobby/package.rb'
+
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'

data/.rubocop_todo.yml

@@ -0,0 +1,42 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2018-08-28 07:57:28 -0700 using RuboCop version 0.58.2.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 5
+Metrics/AbcSize:
+  Max: 45
+
+# Offense count: 1
+# Configuration parameters: CountComments, ExcludedMethods.
+# ExcludedMethods: refine
+Metrics/BlockLength:
+  Max: 33
+
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 130
+
+# Offense count: 1
+Metrics/CyclomaticComplexity:
+  Max: 12
+
+# Offense count: 5
+# Configuration parameters: CountComments.
+Metrics/MethodLength:
+  Max: 52
+
+# Offense count: 1
+Metrics/PerceivedComplexity:
+  Max: 14
+
+# Offense count: 2
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'lib/debsecan/configuration.rb'
+    - 'lib/debsecan/options.rb'

data/.travis.yml

@@ -0,0 +1,12 @@
+sudo: false
+cache: bundler
+language: ruby
+rvm:
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - ruby-head
+before_install: gem install bundler -v 1.16.2
+install:
+  - bundle install

data/.yardopts

@@ -0,0 +1,2 @@
+--markup markdown
+--hide-void-return

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Change log
+
+## 0.1.0
+
+Initial release. ([@bannable][])
+
+[@bannable]: https://github.com/bannable
+

data/CONTRIBUTING.md

@@ -0,0 +1,60 @@
+# Contributing
+
+If you discover issues, have ideas for improvements or new features,
+please report them to the [issue tracker][1] of the repository or
+submit a pull request. Please, try to follow these guidelines when you
+do so.
+
+## Issue reporting
+
+* Check that the issue has not already been reported.
+* Check that the issue has not already been fixed in the latest code
+  (a.k.a. `master`).
+* Be clear, concise and precise in your description of the problem.
+* Open an issue with a descriptive title and a summary in grammatically correct,
+  complete sentences.
+* Include the gem version, `Dobby::VERSION`.
+* Include any relevant code to the issue summary.
+
+## Pull requests
+* Read [how to properly contribute to open source projects on GitHub][2].
+* Fork the project.
+* Use a topic/feature branch to easily amend a pull request later, if necessary.
+* Write [good commit messages][3].
+* Use the same coding conventions as the rest of the project.
+* Commit and push until you are happy with your contribution.
+* If your change has a corresponding open GitHub issue, prefix the commit message with `[Fix #github-issue-number]`.
+* Make sure to add tests for it. This is important so I don't break it
+  in a future version unintentionally.
+* Add an entry to the [Changelog](CHANGELOG.md) accordingly. See [changelog entry format](#changelog-entry-format).
+* Please try not to mess with the Rakefile, version, or history. If
+  you want to have your own version, or is otherwise necessary, that
+  is fine, but please isolate to its own commit so I can cherry-pick
+  around it.
+* Make sure the test suite is passing and the code you wrote doesn't produce
+  RuboCop offenses
+* [Squash related commits together][5].
+* Open a [pull request][4] that relates to *only* one subject with a clear title
+  and description in grammatically correct, complete sentences.
+
+### Changelog entry format
+
+Here is an example:
+
+```
+* Add the `fixed_by_target` method to show what is resolved if a Package is theoretically upgraded. ([@bannable][])
+```
+
+* Mark it up in [Markdown syntax][6].
+* The entry line should start with `* ` (an asterisk and a space).
+* If the change has a related GitHub issue (e.g. a bug fix for a reported issue), put a link to the issue as `[#123](https://github.com/bbatsov/rubocop/issues/123): `.
+* Describe the brief of the change. The sentence should end with a punctuation.
+* At the end of the entry, add an implicit link to your GitHub user page as `([@username][])`.
+* If this is your first contribution to RuboCop project, add a link definition for the implicit link to the bottom of the changelog as `[@username]: https://github.com/username`.
+
+[1]: https://github.com/meraki/dobby/issues
+[2]: http://gun.io/blog/how-to-github-fork-branch-and-pull-request
+[3]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
+[4]: https://help.github.com/articles/using-pull-requests
+[5]: http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html
+[6]: http://daringfireball.net/projects/markdown/syntax

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in dobby.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Joe Truba
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,103 @@
+# Dobby
+
+Static analyzer library for DPKG-versioned packages.
+
+This tool takes a set of versioned packages and compares those versions against
+a source of version vulnerability information. The tool can implement arbitrary
+strategies to this end, and at Meraki helps to answer these questions:
+
+>On the current system or across all of our servers, which packages on those servers
+>are impacted by published vulnerabilities?
+
+>Of the packages with published vulnerabilities, which have fix versions currently
+>available in the repository upstream, and what are those fix versions for each
+>distribution?
+
+>If a process is running version 1 of a service, and version 2 is installed
+>on the system, which vulnerabilities (if any) are addressed by a service restart?
+
+For building the package set, included is `DpkgStatusFile`, which by default builds
+a package set from `/var/lib/dpkg/status`, but can read and parase any similarly
+formatted file.
+
+For vulnerability information source, two strategies are included:
+* `VulnSource::Debian`: Retrieve CVE/etc information from the Debian Security Tracker.
+* `VulnSource::Ubuntu`: Checkout and parse the Ubuntu Security Tracker using bzr.
+
+Initializing the vulnerability database can be expensive in time, bandwidth
+and space. It is recommended that you initialize only a single vulnerability
+database for processing multiple package sets.
+
+## Usage
+
+As a gem:
+```ruby
+require 'dobby'
+package_set = []
+[file1, file2].each do |f|
+  package_set << Dobby::PackageSource::DpkgStatusFile.new(file_path: f)
+end
+
+strategy = Dobby::VulnSource::Debian.new
+database = Dobby::Database.new(strategy)
+scanner = Dobby::Scanner.new(nil, database)
+
+package_set.each do |package_source|
+  packages = package_source.parse
+  scanner.packages = packages
+  puts scanner.scan
+end
+```
+
+From the command line:
+```
+# Output issues for the current system as pretty text to stdout
+dobby /var/lib/dpkg/status
+
+# ... and also write issues as JSON to file.json
+dobby -f simple -f json -o file.json /var/lib/dpkg/status
+
+# Show issues for multiple files
+dobby file1 file2 file3
+```
+
+As a gem with a custom output formatter:
+```ruby
+# my_custom_executor.rb
+require 'dobby'
+require 'my/custom/formatter'
+
+cli = Dobby::CLI.new
+cli.run
+
+# CLI:
+my_custom_executor.rb -f My::Custom::Formatter /var/lib/dpkg/status
+```
+
+## Compatibility
+
+Dobby supports the following Ruby implementations:
+
+* MRI 2.2
+* MRI 2.3
+* MRI 2.4
+* MRI 2.5
+* MRI trunk
+
+## Building
+
+```
+rake build
+```
+
+## Contributing
+
+If you have found a bug or have a feature idea, take a look at the [contribution guidelines](CONTRIBUTING.md).
+
+## Changelog
+
+The changelog is available [here](CHANGELOG.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'dobby'
+
+Pry.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config/default.yml

@@ -0,0 +1,8 @@
+# DO NOT EDIT THIS FILE! IT HAS BEEN AUTO-GENERATED.
+#
+# To make changes, use script/dobby_filter.rb
+#
+---
+:whitelist: {}
+:allowed: {}
+

data/dobby.gemspec

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require File.expand_path('lib/dobby/version', __dir__)
+
+# rubocop:disable Metrics/BlockLength
+Gem::Specification.new do |spec|
+  spec.name          = 'dobby'
+  spec.version       = Dobby::Version::STRING
+  spec.platform      = Gem::Platform::RUBY
+  spec.authors       = ['Joe Truba']
+  spec.email         = ['joe@bannable.net']
+
+  spec.summary       = 'Vulnerability reporter for dpkg systems'
+  spec.description   = <<-DESCRIPTION
+    Library for injesting descriptions of dpkg based systems (primarily
+    Debian and Ubuntu), vulnerability database for those distributions and identifying
+    which installed packages are impacted by which vulnerability defects, if any.
+  DESCRIPTION
+
+  spec.homepage      = 'https://github.com/bannable/dobby'
+  spec.license       = 'MIT'
+
+  spec.required_ruby_version = ['~> 2', '>= 2.2']
+
+  spec.metadata = {
+    'changelog_uri' => 'https://github.com/bannable/dobby/blob/master/CHANGELOG.md',
+    'source_code_uri' => 'https://github.com/bannable/dobby',
+    'bug_tracker_uri' => 'https://github.com/bannable/dobby/issues'
+  }
+
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+
+  spec.bindir        = 'exe'
+  spec.executables   = ['dobby']
+
+  spec.add_development_dependency 'rake', '~> 12.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.52'
+  spec.add_development_dependency 'simplecov', '~> 0'
+  spec.add_development_dependency 'timecop', '~> 0.9'
+
+  spec.add_runtime_dependency 'apt-pkg', ['~> 0.4', '>= 0.2']
+  spec.add_runtime_dependency 'curb', '~> 0.9'
+  spec.add_runtime_dependency 'hashie', '~> 3.5'
+  spec.add_runtime_dependency 'oj', '~> 3'
+  spec.add_runtime_dependency 'parallel', '~> 1.12'
+  spec.add_runtime_dependency 'powerpack', '~> 0.1'
+  spec.add_runtime_dependency 'pry', '~> 0'
+  spec.add_runtime_dependency 'pry-byebug', '~> 3'
+  spec.add_runtime_dependency 'rainbow', '~> 3'
+  spec.add_runtime_dependency 'yard', '~> 0.9.16'
+
+  spec.requirements << 'libapt-pkg-dev > 1.0'
+  spec.requirements << 'bzr (when using VulnSource::Ubuntu)'
+end
+# rubocop:enable Metrics/BlockLength

data/lib/dobby.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'curb'
+require 'debian/apt_pkg'
+require 'digest'
+require 'hashie'
+require 'oj'
+require 'optparse'
+require 'pry'
+require 'psych'
+require 'pp'
+require 'rainbow'
+require 'singleton'
+require 'shellwords'
+
+require 'powerpack/string/strip_indent'
+require 'powerpack/string/blank'
+
+require_relative 'dobby/version'
+
+require_relative 'dobby/error'
+require_relative 'dobby/update_response'
+
+require_relative 'dobby/configuration'
+require_relative 'dobby/database'
+require_relative 'dobby/defect'
+require_relative 'dobby/dpkg'
+require_relative 'dobby/flag_manager'
+require_relative 'dobby/package'
+require_relative 'dobby/severity'
+require_relative 'dobby/strategy'
+
+require_relative 'dobby/package_source/abstract_package_source'
+require_relative 'dobby/package_source/dpkg_status_file'
+
+require_relative 'dobby/vuln_source/abstract_vuln_source'
+require_relative 'dobby/vuln_source/debian'
+require_relative 'dobby/vuln_source/ubuntu'
+
+require_relative 'dobby/formatter/colorizable'
+require_relative 'dobby/formatter/abstract_formatter'
+require_relative 'dobby/formatter/simple_formatter'
+require_relative 'dobby/formatter/json_formatter'
+require_relative 'dobby/formatter/formatter_set'
+
+require_relative 'dobby/scanner'
+
+require_relative 'dobby/builtins'
+require_relative 'dobby/options'
+require_relative 'dobby/runner'
+require_relative 'dobby/cli'