dobby 0.1.0 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +16 -0
- data/.rubocop.yml +30 -0
- data/.rubocop_todo.yml +42 -0
- data/.travis.yml +12 -0
- data/.yardopts +2 -0
- data/CHANGELOG.md +8 -0
- data/CONTRIBUTING.md +60 -0
- data/Gemfile +8 -0
- data/LICENSE.txt +21 -0
- data/README.md +103 -0
- data/Rakefile +8 -0
- data/bin/console +7 -0
- data/bin/setup +8 -0
- data/config/default.yml +8 -0
- data/dobby.gemspec +58 -0
- data/lib/dobby.rb +51 -0
- data/lib/dobby/builtins.rb +17 -0
- data/lib/dobby/cli.rb +64 -0
- data/lib/dobby/configuration.rb +58 -0
- data/lib/dobby/database.rb +62 -0
- data/lib/dobby/defect.rb +74 -0
- data/lib/dobby/dpkg.rb +21 -0
- data/lib/dobby/error.rb +6 -0
- data/lib/dobby/flag_manager.rb +67 -0
- data/lib/dobby/flags.yml +8 -0
- data/lib/dobby/formatter/abstract_formatter.rb +25 -0
- data/lib/dobby/formatter/colorizable.rb +41 -0
- data/lib/dobby/formatter/formatter_set.rb +79 -0
- data/lib/dobby/formatter/json_formatter.rb +42 -0
- data/lib/dobby/formatter/simple_formatter.rb +54 -0
- data/lib/dobby/options.rb +149 -0
- data/lib/dobby/package.rb +156 -0
- data/lib/dobby/package_source/abstract_package_source.rb +17 -0
- data/lib/dobby/package_source/dpkg_status_file.rb +85 -0
- data/lib/dobby/runner.rb +152 -0
- data/lib/dobby/scanner.rb +128 -0
- data/lib/dobby/severity.rb +66 -0
- data/lib/dobby/strategy.rb +168 -0
- data/lib/dobby/update_response.rb +19 -0
- data/lib/dobby/version.rb +24 -0
- data/lib/dobby/vuln_source/abstract_vuln_source.rb +26 -0
- data/lib/dobby/vuln_source/debian.rb +166 -0
- data/lib/dobby/vuln_source/ubuntu.rb +229 -0
- metadata +45 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 23c15914a886f6ab773bf9123073dd7073839ec0d4cdac9c540b14dde7bcaaeb
|
4
|
+
data.tar.gz: fc562ad46721be21d3fef9069284d94ff01eab45128717d4d618cb8e7273ee68
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 487605c97b5052aa3731f9f92509cea471bb892ed6e72beb1f87f591e485c8993dd727d807dff7ff0454b0737268d9990756edc6d2758386035b963aed13d515
|
7
|
+
data.tar.gz: '09022e4f223629ebfb9d52e6bbc3140a710a9bb10b8dbc27c2eb0d5d8583db774cc4ffb58b869b5d6407a2acb5c4608acf4cc01c108f8fd3b60ee1c9802f3f05'
|
data/.gitignore
ADDED
data/.rubocop.yml
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
inherit_from: .rubocop_todo.yml
|
2
|
+
|
3
|
+
AllCops:
|
4
|
+
AllowSymlinksInCacheRootDirectory: true
|
5
|
+
TargetRubyVersion: 2.3
|
6
|
+
|
7
|
+
Metrics/BlockLength:
|
8
|
+
Exclude:
|
9
|
+
- 'spec/**/*'
|
10
|
+
|
11
|
+
Metrics/LineLength:
|
12
|
+
Max: 100
|
13
|
+
|
14
|
+
Metrics/ParameterLists:
|
15
|
+
Exclude:
|
16
|
+
- 'lib/dobby/package.rb'
|
17
|
+
|
18
|
+
Style/CaseEquality:
|
19
|
+
Exclude:
|
20
|
+
- 'lib/dobby/package.rb'
|
21
|
+
- 'spec/dobby/package_spec.rb'
|
22
|
+
|
23
|
+
Style/NumericPredicate:
|
24
|
+
Exclude:
|
25
|
+
- 'spec/**/*'
|
26
|
+
- 'lib/dobby/package.rb'
|
27
|
+
|
28
|
+
Style/Documentation:
|
29
|
+
Exclude:
|
30
|
+
- 'spec/**/*'
|
data/.rubocop_todo.yml
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# This configuration was generated by
|
2
|
+
# `rubocop --auto-gen-config`
|
3
|
+
# on 2018-08-28 07:57:28 -0700 using RuboCop version 0.58.2.
|
4
|
+
# The point is for the user to remove these configuration records
|
5
|
+
# one by one as the offenses are removed from the code base.
|
6
|
+
# Note that changes in the inspected code, or installation of new
|
7
|
+
# versions of RuboCop, may require this file to be generated again.
|
8
|
+
|
9
|
+
# Offense count: 5
|
10
|
+
Metrics/AbcSize:
|
11
|
+
Max: 45
|
12
|
+
|
13
|
+
# Offense count: 1
|
14
|
+
# Configuration parameters: CountComments, ExcludedMethods.
|
15
|
+
# ExcludedMethods: refine
|
16
|
+
Metrics/BlockLength:
|
17
|
+
Max: 33
|
18
|
+
|
19
|
+
# Offense count: 1
|
20
|
+
# Configuration parameters: CountComments.
|
21
|
+
Metrics/ClassLength:
|
22
|
+
Max: 130
|
23
|
+
|
24
|
+
# Offense count: 1
|
25
|
+
Metrics/CyclomaticComplexity:
|
26
|
+
Max: 12
|
27
|
+
|
28
|
+
# Offense count: 5
|
29
|
+
# Configuration parameters: CountComments.
|
30
|
+
Metrics/MethodLength:
|
31
|
+
Max: 52
|
32
|
+
|
33
|
+
# Offense count: 1
|
34
|
+
Metrics/PerceivedComplexity:
|
35
|
+
Max: 14
|
36
|
+
|
37
|
+
# Offense count: 2
|
38
|
+
Style/Documentation:
|
39
|
+
Exclude:
|
40
|
+
- 'spec/**/*'
|
41
|
+
- 'lib/debsecan/configuration.rb'
|
42
|
+
- 'lib/debsecan/options.rb'
|
data/.travis.yml
ADDED
data/.yardopts
ADDED
data/CHANGELOG.md
ADDED
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,60 @@
|
|
1
|
+
# Contributing
|
2
|
+
|
3
|
+
If you discover issues, have ideas for improvements or new features,
|
4
|
+
please report them to the [issue tracker][1] of the repository or
|
5
|
+
submit a pull request. Please, try to follow these guidelines when you
|
6
|
+
do so.
|
7
|
+
|
8
|
+
## Issue reporting
|
9
|
+
|
10
|
+
* Check that the issue has not already been reported.
|
11
|
+
* Check that the issue has not already been fixed in the latest code
|
12
|
+
(a.k.a. `master`).
|
13
|
+
* Be clear, concise and precise in your description of the problem.
|
14
|
+
* Open an issue with a descriptive title and a summary in grammatically correct,
|
15
|
+
complete sentences.
|
16
|
+
* Include the gem version, `Dobby::VERSION`.
|
17
|
+
* Include any relevant code to the issue summary.
|
18
|
+
|
19
|
+
## Pull requests
|
20
|
+
* Read [how to properly contribute to open source projects on GitHub][2].
|
21
|
+
* Fork the project.
|
22
|
+
* Use a topic/feature branch to easily amend a pull request later, if necessary.
|
23
|
+
* Write [good commit messages][3].
|
24
|
+
* Use the same coding conventions as the rest of the project.
|
25
|
+
* Commit and push until you are happy with your contribution.
|
26
|
+
* If your change has a corresponding open GitHub issue, prefix the commit message with `[Fix #github-issue-number]`.
|
27
|
+
* Make sure to add tests for it. This is important so I don't break it
|
28
|
+
in a future version unintentionally.
|
29
|
+
* Add an entry to the [Changelog](CHANGELOG.md) accordingly. See [changelog entry format](#changelog-entry-format).
|
30
|
+
* Please try not to mess with the Rakefile, version, or history. If
|
31
|
+
you want to have your own version, or is otherwise necessary, that
|
32
|
+
is fine, but please isolate to its own commit so I can cherry-pick
|
33
|
+
around it.
|
34
|
+
* Make sure the test suite is passing and the code you wrote doesn't produce
|
35
|
+
RuboCop offenses
|
36
|
+
* [Squash related commits together][5].
|
37
|
+
* Open a [pull request][4] that relates to *only* one subject with a clear title
|
38
|
+
and description in grammatically correct, complete sentences.
|
39
|
+
|
40
|
+
### Changelog entry format
|
41
|
+
|
42
|
+
Here is an example:
|
43
|
+
|
44
|
+
```
|
45
|
+
* Add the `fixed_by_target` method to show what is resolved if a Package is theoretically upgraded. ([@bannable][])
|
46
|
+
```
|
47
|
+
|
48
|
+
* Mark it up in [Markdown syntax][6].
|
49
|
+
* The entry line should start with `* ` (an asterisk and a space).
|
50
|
+
* If the change has a related GitHub issue (e.g. a bug fix for a reported issue), put a link to the issue as `[#123](https://github.com/bbatsov/rubocop/issues/123): `.
|
51
|
+
* Describe the brief of the change. The sentence should end with a punctuation.
|
52
|
+
* At the end of the entry, add an implicit link to your GitHub user page as `([@username][])`.
|
53
|
+
* If this is your first contribution to RuboCop project, add a link definition for the implicit link to the bottom of the changelog as `[@username]: https://github.com/username`.
|
54
|
+
|
55
|
+
[1]: https://github.com/meraki/dobby/issues
|
56
|
+
[2]: http://gun.io/blog/how-to-github-fork-branch-and-pull-request
|
57
|
+
[3]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
|
58
|
+
[4]: https://help.github.com/articles/using-pull-requests
|
59
|
+
[5]: http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html
|
60
|
+
[6]: http://daringfireball.net/projects/markdown/syntax
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2018 Joe Truba
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,103 @@
|
|
1
|
+
# Dobby
|
2
|
+
|
3
|
+
Static analyzer library for DPKG-versioned packages.
|
4
|
+
|
5
|
+
This tool takes a set of versioned packages and compares those versions against
|
6
|
+
a source of version vulnerability information. The tool can implement arbitrary
|
7
|
+
strategies to this end, and at Meraki helps to answer these questions:
|
8
|
+
|
9
|
+
>On the current system or across all of our servers, which packages on those servers
|
10
|
+
>are impacted by published vulnerabilities?
|
11
|
+
|
12
|
+
>Of the packages with published vulnerabilities, which have fix versions currently
|
13
|
+
>available in the repository upstream, and what are those fix versions for each
|
14
|
+
>distribution?
|
15
|
+
|
16
|
+
>If a process is running version 1 of a service, and version 2 is installed
|
17
|
+
>on the system, which vulnerabilities (if any) are addressed by a service restart?
|
18
|
+
|
19
|
+
For building the package set, included is `DpkgStatusFile`, which by default builds
|
20
|
+
a package set from `/var/lib/dpkg/status`, but can read and parase any similarly
|
21
|
+
formatted file.
|
22
|
+
|
23
|
+
For vulnerability information source, two strategies are included:
|
24
|
+
* `VulnSource::Debian`: Retrieve CVE/etc information from the Debian Security Tracker.
|
25
|
+
* `VulnSource::Ubuntu`: Checkout and parse the Ubuntu Security Tracker using bzr.
|
26
|
+
|
27
|
+
Initializing the vulnerability database can be expensive in time, bandwidth
|
28
|
+
and space. It is recommended that you initialize only a single vulnerability
|
29
|
+
database for processing multiple package sets.
|
30
|
+
|
31
|
+
## Usage
|
32
|
+
|
33
|
+
As a gem:
|
34
|
+
```ruby
|
35
|
+
require 'dobby'
|
36
|
+
package_set = []
|
37
|
+
[file1, file2].each do |f|
|
38
|
+
package_set << Dobby::PackageSource::DpkgStatusFile.new(file_path: f)
|
39
|
+
end
|
40
|
+
|
41
|
+
strategy = Dobby::VulnSource::Debian.new
|
42
|
+
database = Dobby::Database.new(strategy)
|
43
|
+
scanner = Dobby::Scanner.new(nil, database)
|
44
|
+
|
45
|
+
package_set.each do |package_source|
|
46
|
+
packages = package_source.parse
|
47
|
+
scanner.packages = packages
|
48
|
+
puts scanner.scan
|
49
|
+
end
|
50
|
+
```
|
51
|
+
|
52
|
+
From the command line:
|
53
|
+
```
|
54
|
+
# Output issues for the current system as pretty text to stdout
|
55
|
+
dobby /var/lib/dpkg/status
|
56
|
+
|
57
|
+
# ... and also write issues as JSON to file.json
|
58
|
+
dobby -f simple -f json -o file.json /var/lib/dpkg/status
|
59
|
+
|
60
|
+
# Show issues for multiple files
|
61
|
+
dobby file1 file2 file3
|
62
|
+
```
|
63
|
+
|
64
|
+
As a gem with a custom output formatter:
|
65
|
+
```ruby
|
66
|
+
# my_custom_executor.rb
|
67
|
+
require 'dobby'
|
68
|
+
require 'my/custom/formatter'
|
69
|
+
|
70
|
+
cli = Dobby::CLI.new
|
71
|
+
cli.run
|
72
|
+
|
73
|
+
# CLI:
|
74
|
+
my_custom_executor.rb -f My::Custom::Formatter /var/lib/dpkg/status
|
75
|
+
```
|
76
|
+
|
77
|
+
## Compatibility
|
78
|
+
|
79
|
+
Dobby supports the following Ruby implementations:
|
80
|
+
|
81
|
+
* MRI 2.2
|
82
|
+
* MRI 2.3
|
83
|
+
* MRI 2.4
|
84
|
+
* MRI 2.5
|
85
|
+
* MRI trunk
|
86
|
+
|
87
|
+
## Building
|
88
|
+
|
89
|
+
```
|
90
|
+
rake build
|
91
|
+
```
|
92
|
+
|
93
|
+
## Contributing
|
94
|
+
|
95
|
+
If you have found a bug or have a feature idea, take a look at the [contribution guidelines](CONTRIBUTING.md).
|
96
|
+
|
97
|
+
## Changelog
|
98
|
+
|
99
|
+
The changelog is available [here](CHANGELOG.md).
|
100
|
+
|
101
|
+
## License
|
102
|
+
|
103
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
data/bin/console
ADDED
data/bin/setup
ADDED
data/config/default.yml
ADDED
data/dobby.gemspec
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require File.expand_path('lib/dobby/version', __dir__)
|
4
|
+
|
5
|
+
# rubocop:disable Metrics/BlockLength
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = 'dobby'
|
8
|
+
spec.version = Dobby::Version::STRING
|
9
|
+
spec.platform = Gem::Platform::RUBY
|
10
|
+
spec.authors = ['Joe Truba']
|
11
|
+
spec.email = ['joe@bannable.net']
|
12
|
+
|
13
|
+
spec.summary = 'Vulnerability reporter for dpkg systems'
|
14
|
+
spec.description = <<-DESCRIPTION
|
15
|
+
Library for injesting descriptions of dpkg based systems (primarily
|
16
|
+
Debian and Ubuntu), vulnerability database for those distributions and identifying
|
17
|
+
which installed packages are impacted by which vulnerability defects, if any.
|
18
|
+
DESCRIPTION
|
19
|
+
|
20
|
+
spec.homepage = 'https://github.com/bannable/dobby'
|
21
|
+
spec.license = 'MIT'
|
22
|
+
|
23
|
+
spec.required_ruby_version = ['~> 2', '>= 2.2']
|
24
|
+
|
25
|
+
spec.metadata = {
|
26
|
+
'changelog_uri' => 'https://github.com/bannable/dobby/blob/master/CHANGELOG.md',
|
27
|
+
'source_code_uri' => 'https://github.com/bannable/dobby',
|
28
|
+
'bug_tracker_uri' => 'https://github.com/bannable/dobby/issues'
|
29
|
+
}
|
30
|
+
|
31
|
+
spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
|
32
|
+
`git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
33
|
+
end
|
34
|
+
|
35
|
+
spec.bindir = 'exe'
|
36
|
+
spec.executables = ['dobby']
|
37
|
+
|
38
|
+
spec.add_development_dependency 'rake', '~> 12.0'
|
39
|
+
spec.add_development_dependency 'rspec', '~> 3.0'
|
40
|
+
spec.add_development_dependency 'rubocop', '~> 0.52'
|
41
|
+
spec.add_development_dependency 'simplecov', '~> 0'
|
42
|
+
spec.add_development_dependency 'timecop', '~> 0.9'
|
43
|
+
|
44
|
+
spec.add_runtime_dependency 'apt-pkg', ['~> 0.4', '>= 0.2']
|
45
|
+
spec.add_runtime_dependency 'curb', '~> 0.9'
|
46
|
+
spec.add_runtime_dependency 'hashie', '~> 3.5'
|
47
|
+
spec.add_runtime_dependency 'oj', '~> 3'
|
48
|
+
spec.add_runtime_dependency 'parallel', '~> 1.12'
|
49
|
+
spec.add_runtime_dependency 'powerpack', '~> 0.1'
|
50
|
+
spec.add_runtime_dependency 'pry', '~> 0'
|
51
|
+
spec.add_runtime_dependency 'pry-byebug', '~> 3'
|
52
|
+
spec.add_runtime_dependency 'rainbow', '~> 3'
|
53
|
+
spec.add_runtime_dependency 'yard', '~> 0.9.16'
|
54
|
+
|
55
|
+
spec.requirements << 'libapt-pkg-dev > 1.0'
|
56
|
+
spec.requirements << 'bzr (when using VulnSource::Ubuntu)'
|
57
|
+
end
|
58
|
+
# rubocop:enable Metrics/BlockLength
|
data/lib/dobby.rb
ADDED
@@ -0,0 +1,51 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'curb'
|
4
|
+
require 'debian/apt_pkg'
|
5
|
+
require 'digest'
|
6
|
+
require 'hashie'
|
7
|
+
require 'oj'
|
8
|
+
require 'optparse'
|
9
|
+
require 'pry'
|
10
|
+
require 'psych'
|
11
|
+
require 'pp'
|
12
|
+
require 'rainbow'
|
13
|
+
require 'singleton'
|
14
|
+
require 'shellwords'
|
15
|
+
|
16
|
+
require 'powerpack/string/strip_indent'
|
17
|
+
require 'powerpack/string/blank'
|
18
|
+
|
19
|
+
require_relative 'dobby/version'
|
20
|
+
|
21
|
+
require_relative 'dobby/error'
|
22
|
+
require_relative 'dobby/update_response'
|
23
|
+
|
24
|
+
require_relative 'dobby/configuration'
|
25
|
+
require_relative 'dobby/database'
|
26
|
+
require_relative 'dobby/defect'
|
27
|
+
require_relative 'dobby/dpkg'
|
28
|
+
require_relative 'dobby/flag_manager'
|
29
|
+
require_relative 'dobby/package'
|
30
|
+
require_relative 'dobby/severity'
|
31
|
+
require_relative 'dobby/strategy'
|
32
|
+
|
33
|
+
require_relative 'dobby/package_source/abstract_package_source'
|
34
|
+
require_relative 'dobby/package_source/dpkg_status_file'
|
35
|
+
|
36
|
+
require_relative 'dobby/vuln_source/abstract_vuln_source'
|
37
|
+
require_relative 'dobby/vuln_source/debian'
|
38
|
+
require_relative 'dobby/vuln_source/ubuntu'
|
39
|
+
|
40
|
+
require_relative 'dobby/formatter/colorizable'
|
41
|
+
require_relative 'dobby/formatter/abstract_formatter'
|
42
|
+
require_relative 'dobby/formatter/simple_formatter'
|
43
|
+
require_relative 'dobby/formatter/json_formatter'
|
44
|
+
require_relative 'dobby/formatter/formatter_set'
|
45
|
+
|
46
|
+
require_relative 'dobby/scanner'
|
47
|
+
|
48
|
+
require_relative 'dobby/builtins'
|
49
|
+
require_relative 'dobby/options'
|
50
|
+
require_relative 'dobby/runner'
|
51
|
+
require_relative 'dobby/cli'
|